XRING Vulnerability in XQUIC Threatens HTTP/3 Servers with Remote Crash Risk

XRING Vulnerability in XQUIC Threatens HTTP/3 Servers with Remote Crash Risk

First seen 12 Jul 2026, 12:28 UTC ThehackernewsRescanathreat-modeling.com 83% similarity 64.5

Article Content

Browse articles
ThreatCluster

A critical unpatched vulnerability, XRING, has been identified in the XQUIC library, affecting HTTP/3 servers. This flaw allows any remote, unauthenticated client to crash servers using XQUIC with as little as 260 bytes of legal QPACK traffic. All releases of XQUIC up to v1.9.4 are impacted, including Alibaba's Tengine, which is used by major platforms like Taobao and Alipay. The vulnerability stems from a memory corruption issue in the QPACK dynamic table implementation, leading to potential denial-of-service attacks. As of July 10, 2026, there is no patch or CVE assigned, and while a public proof-of-concept (PoC) exists, there are no confirmed reports of exploitation in the wild. The CISA Known Exploited Vulnerabilities catalog does not list this issue, indicating no confirmed active exploitation. The vulnerability has existed since January 2022 and poses a significant risk to organizations relying on HTTP/3 infrastructure.

Key Points: • The XRING vulnerability in XQUIC allows remote clients to crash HTTP/3 servers. • No patch or CVE has been assigned as of July 10, 2026, despite the public disclosure. • The flaw has existed since January 2022 and affects all XQUIC versions up to v1.9.4.

ThreatCluster AI

Timeline

2022-01-01
XRING vulnerability introduced
The XRING vulnerability has existed since the first public release of XQUIC in January 2022.
Rescana
2026-06-17
CVE-2026-42530 published
CVE-2026-42530 was published, related to a different bug in NGINX's HTTP/3 module.
Rescana
2026-06-19
First public PoC for CVE-2026-42530
The first public proof-of-concept for CVE-2026-42530 was released, demonstrating its exploitability.
Rescana
2026-07-10
Public disclosure of XRING vulnerability
The XRING vulnerability was publicly disclosed, highlighting its trivial exploitation vector.
Rescana

Community

Browse all →