Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

Read full story on The Hacker News
Share
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
AI disclosure

Summary

A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server

Original reporting

Open original source

Related coverage

Read full article on The Hacker News

Get the AFBytes Brief

Major stories, AI-assisted analysis, and what to watch next. Free, monthly, unsubscribe anytime.