Plan
active
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
- Engineer — Plan: XQUIC is Alibaba’s QUIC/HTTP/3 library — audit whether it’s in your stack (Alibaba Cloud, CDN edge, or any Go/C++ HTTP/3 service built on it); no patch exists yet, so consider disabling HTTP/3 endpoints or adding rate-limiting on QPACK traffic as interim mitigation. No KEV or EPSS signal, but a zero-auth 260-byte crash with no malformed packets is trivially weaponizable.
- SOC/IR — Learn: No active exploitation or IOCs reported; the attack surface is interesting for future detection rule design around anomalous HTTP/3 QPACK request volumes causing server restarts, but there is nothing to hunt today.
- Leader — Skip
This entry was curated and judged by AI (Claude) with automated enrichment
(CISA KEV / EPSS / public PoC). Verify against the original source before
acting. Found a bad verdict?
Report it —
confirmed errors go to the corrections log.