CuraSec

Plan active

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

2026-07-11 11:49 UTC · The Hacker News · read the source ↗ #http3#denial-of-service#quic
  • Engineer — Plan: XQUIC is Alibaba’s QUIC/HTTP/3 library — audit whether it’s in your stack (Alibaba Cloud, CDN edge, or any Go/C++ HTTP/3 service built on it); no patch exists yet, so consider disabling HTTP/3 endpoints or adding rate-limiting on QPACK traffic as interim mitigation. No KEV or EPSS signal, but a zero-auth 260-byte crash with no malformed packets is trivially weaponizable.
  • SOC/IR — Learn: No active exploitation or IOCs reported; the attack surface is interesting for future detection rule design around anomalous HTTP/3 QPACK request volumes causing server restarts, but there is nothing to hunt today.
  • Leader — Skip
This entry was curated and judged by AI (Claude) with automated enrichment (CISA KEV / EPSS / public PoC). Verify against the original source before acting. Found a bad verdict? Report it — confirmed errors go to the corrections log.