Rescana
XRING Vulnerability in XQUIC Threatens HTTP/3 Servers with Remote Crash Risk
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical unpatched vulnerability, XRING, has been identified in the XQUIC library, affecting HTTP/3 servers. This flaw allows any remote, unauthenticated client to crash servers using XQUIC with as little as 260 bytes of legal QPACK traffic. All releases of XQUIC up to v1.9.4 are impacted, including Alibaba's Tengine, which is used by major platforms like Taobao and Alipay. The vulnerability stems from a memory corruption issue in the QPACK dynamic table implementation, leading to potential denial-of-service attacks. As of July 10, 2026, there is no patch or CVE assigned, and while a public proof-of-concept (PoC) exists, there are no confirmed reports of exploitation in the wild. The CISA Known Exploited Vulnerabilities catalog does not list this issue, indicating no confirmed active exploitation. The vulnerability has existed since January 2022 and poses a significant risk to organizations relying on HTTP/3 infrastructure.
Key Points: • The XRING vulnerability in XQUIC allows remote clients to crash HTTP/3 servers. • No patch or CVE has been assigned as of July 10, 2026, despite the public disclosure. • The flaw has existed since January 2022 and affects all XQUIC versions up to v1.9.4.