CuraSec

tag: Quic · 1 items

2026-07-11 · The Hacker News · source ↗ #http3#denial-of-service#quic
  • Engineer — Plan: XQUIC is Alibaba’s QUIC/HTTP/3 library — audit whether it’s in your stack (Alibaba Cloud, CDN edge, or any Go/C++ HTTP/3 service built on it); no patch exists yet, so consider disabling HTTP/3 endpoints or adding rate-limiting on QPACK traffic as interim mitigation. No KEV or EPSS signal, but a zero-auth 260-byte crash with no malformed packets is trivially weaponizable.
  • SOC/IR — Learn: No active exploitation or IOCs reported; the attack surface is interesting for future detection rule design around anomalous HTTP/3 QPACK request volumes causing server restarts, but there is nothing to hunt today.
  • Leader — Skip