Close Menu
    What's Hot

    Joseph Fraumeni, 93, Dies; Helped Discover Genetic Link to Cancer

    How American Socialism Changed, and Stormed the Democratic Party

    How Terrorist Groups Are Using A.I. to Gain an Edge in Battle

    Facebook X (Twitter) Instagram
    Trending
    • Joseph Fraumeni, 93, Dies; Helped Discover Genetic Link to Cancer
    • How American Socialism Changed, and Stormed the Democratic Party
    • How Terrorist Groups Are Using A.I. to Gain an Edge in Battle
    • OpenAI launches its new family of models with GPT-5.6
    • Japan sheds ties as price index shake-up reflects changing habits
    • The billionaire dreaming of AI data centres in the desert
    • Hollie Doyle blog: More Thunder can strike in Summer Mile at Ascot with Newmarket and York also staging big Saturday races | Racing News
    • Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

    adminBy adminJuly 10, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

    A single wrong variable on one line in XQUIC, Alibaba’s QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch.

    FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server process down.

    XQUIC is open-source, so the risk is not Alibaba’s alone: any server that embeds it and serves HTTP/3 with the default QPACK settings is exposed. That includes Tengine, Alibaba’s Nginx-based web server, which FoxIO says fronts the company’s cloud and CDN on sites including Taobao and Alipay.

    Every release through v1.9.4, the latest, is affected. There is no fixed release and no CVE as of July 10. Until a fix ships, operators can set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which turns off QPACK’s dynamic table, or drop HTTP/3 support entirely.

    The bug lives in how HTTP/3 compresses headers. To avoid sending the same header (say, user-agent) over and over, HTTP/3 uses QPACK. It keeps a shared table that the client directs the server to build up and resize through a dedicated control channel, the encoder stream.

    Cybersecurity

    XQUIC stores that table’s bytes in a ring buffer, a fixed block of memory where data wraps from the end back to the start once it fills.

    When the client asks to grow the table, XQUIC allocates a bigger buffer and copies the old data across. That copy has four cases, depending on whether the data wraps in the old buffer, the new one, both, or neither. In one of them, the code sizes the leftover tail data against the new, larger buffer’s capacity instead of the old one’s. It overcounts badly.

    Grow a 64-byte table with the write cursor near the end, and resize to 65, and XQUIC decides there are 70 tail bytes to move when there are really 6.

    That wrong number flows into a memory copy. The copy length comes from subtracting the overcount from a smaller value. Because that length is an unsigned size_t, it underflows and wraps to a near-maximum number, and the copy runs off the end of memory.

    In FoxIO’s release build on Ubuntu 26.04, glibc’s _FORTIFY_SOURCE=2 caught the bad length and killed the process. Without that check, the copy writes out of bounds, from the old buffer past the end of the new one. Féry showed a crash but did not test whether that corruption could be exploited further.

    None of the values in the attack breaks QPACK’s rules. XQUIC advertises a 16 KiB dynamic-table limit by default; the payload asks for 64 bytes, then 65. The client only has to drive the table into the exact wrapped layout that hits the faulty branch. FoxIO says the mistake has been in XQUIC since its first public release in January 2022, and a proof of concept is public.

    XRING is the latest in a string of remote crashes in HTTP/2 and HTTP/3 stacks. Three weeks earlier, THN reported a use-after-free in NGINX’s HTTP/3 module (CVE-2026-42530) that a remote, unauthenticated client could reach through the same QPACK encoder stream XRING abuses, a different bug class on the same attack surface.

    Cybersecurity

    In June, Calif’s HTTP/2 Bomb caused remote denial of service against Nginx, Apache, IIS, and Envoy by abusing HPACK, HTTP/2’s header compression, and the predecessor to QPACK.

    In February, HAProxy patched two QUIC crashes, one an integer underflow during token validation, the same type of bug behind XRING, though it needed a malformed packet where XRING needs none. That difference is the point: legal input, one arithmetic slip, a dead server.

    FoxIO demonstrated a crash, not code execution, and reported no exploitation in the wild. It says it emailed Alibaba on April 7 through the project’s security policy, which promises a reply within three working days, then followed up four more times through May 9 without an answer before going public.

    The Hacker News has asked Alibaba whether a fix and a CVE are coming, and whether FoxIO’s five disclosure attempts reached its security team. It has asked FoxIO whether the flaw has been exploited in the wild and whether the underlying heap write can be pushed past a crash. The story will be updated with any response.

    clients crash flaw HTTP3 Lets remote servers Unpatched XQUIC XRING
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticlePalm Beach Airport in Florida Is Renamed for Trump
    Next Article Hollie Doyle blog: More Thunder can strike in Summer Mile at Ascot with Newmarket and York also staging big Saturday races | Racing News
    admin
    • Website

    Related Posts

    Attackers Exploit ‘Ill Bloom’ Vulnerability to Drain $3.1 Million From Cryptocurrency Wallets

    July 10, 2026

    Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes

    July 10, 2026

    GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses

    July 10, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Joseph Fraumeni, 93, Dies; Helped Discover Genetic Link to Cancer

    How American Socialism Changed, and Stormed the Democratic Party

    How Terrorist Groups Are Using A.I. to Gain an Edge in Battle

    OpenAI launches its new family of models with GPT-5.6

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by