< BACK TO NEWS
negativeSYS.SOURCE: The Hacker News2026-07-10T17:17:43+05:30

Unpatched XRING Vulnerability in XQUIC Enables Remote HTTP/3 Server Crashes

#HTTP/3#XQUIC#Server Security#Denial of Service#Open Source

An unpatched vulnerability in XQUIC's QPACK implementation allows remote clients to crash HTTP/3 servers using standard traffic, affecting systems like Tengine. No official patch or CVE has been released, with mitigations requiring configuration changes or disabling HTTP/3.

A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch.

FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server

Read original article

*** END OF TRANSMISSION ***

> RYANAIR PASSENGER INJURED AFTER MIDAIR ENGINE FAILURE LEADS TO CABIN WINDOW DAMAGE> LAYLO SEEKS HEAD OF FINANCE FOR SAAS GROWTH> LATE BRONZE AGE COLLAPSE: ARCHAEOLOGICAL INSIGHTS AND HISTORICAL ANALYSIS> UNPATCHED XRING VULNERABILITY IN XQUIC ENABLES REMOTE HTTP/3 SERVER CRASHES> LUMEN TECHNOLOGIES EXPANDS ASSET INVENTORY TO 1.1 MILLION VIA ADVANCED EXPOSURE MANAGEMENT> EXPOSED HACKER SERVER UNVEILS WP-SHELLSTORM WEBSHELL CAMPAIGN TARGETING WORDPRESS AND JOOMLA SITES> EU COMMISSION ALLEGES INSTAGRAM AND FACEBOOK VIOLATE DSA WITH ADDICTIVE DESIGN FEATURES> STUDY REVEALS SECURITY VULNERABILITIES IN 281 FREE ANDROID VPN APPLICATIONS> THE PHILOSOPHY OF INVISIBLE TOOLS IN SOFTWARE DEVELOPMENT> SOPHISTICATED PHISHING CAMPAIGN EXPLOITS MICROSOFT ENTRA PASSKEY ENROLLMENT FOR UNAUTHORIZED ACCESS> RYANAIR PASSENGER INJURED AFTER MIDAIR ENGINE FAILURE LEADS TO CABIN WINDOW DAMAGE> LAYLO SEEKS HEAD OF FINANCE FOR SAAS GROWTH> LATE BRONZE AGE COLLAPSE: ARCHAEOLOGICAL INSIGHTS AND HISTORICAL ANALYSIS> UNPATCHED XRING VULNERABILITY IN XQUIC ENABLES REMOTE HTTP/3 SERVER CRASHES> LUMEN TECHNOLOGIES EXPANDS ASSET INVENTORY TO 1.1 MILLION VIA ADVANCED EXPOSURE MANAGEMENT> EXPOSED HACKER SERVER UNVEILS WP-SHELLSTORM WEBSHELL CAMPAIGN TARGETING WORDPRESS AND JOOMLA SITES> EU COMMISSION ALLEGES INSTAGRAM AND FACEBOOK VIOLATE DSA WITH ADDICTIVE DESIGN FEATURES> STUDY REVEALS SECURITY VULNERABILITIES IN 281 FREE ANDROID VPN APPLICATIONS> THE PHILOSOPHY OF INVISIBLE TOOLS IN SOFTWARE DEVELOPMENT> SOPHISTICATED PHISHING CAMPAIGN EXPLOITS MICROSOFT ENTRA PASSKEY ENROLLMENT FOR UNAUTHORIZED ACCESS