negativeSYS.SOURCE: The Hacker News• 2026-07-10T17:17:43+05:30
Unpatched XRING Vulnerability in XQUIC Enables Remote HTTP/3 Server Crashes
#HTTP/3#XQUIC#Server Security#Denial of Service#Open Source
An unpatched vulnerability in XQUIC's QPACK implementation allows remote clients to crash HTTP/3 servers using standard traffic, affecting systems like Tengine. No official patch or CVE has been released, with mitigations requiring configuration changes or disabling HTTP/3.
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch.
FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server
*** END OF TRANSMISSION ***