<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Quic on CuraSec</title><link>https://curasec.metacog.co.kr/tags/quic/</link><description>Recent content in Quic on CuraSec</description><generator>Hugo</generator><language>en-us</language><lastBuildDate>Sat, 11 Jul 2026 11:49:48 +0000</lastBuildDate><atom:link href="https://curasec.metacog.co.kr/tags/quic/index.xml" rel="self" type="application/rss+xml"/><item><title>Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers</title><link>https://curasec.metacog.co.kr/insights/2026-07-11-unpatched-xring-flaw-in-xquic-lets-remote-clients-crash-http/</link><pubDate>Sat, 11 Jul 2026 11:49:48 +0000</pubDate><guid>https://curasec.metacog.co.kr/insights/2026-07-11-unpatched-xring-flaw-in-xquic-lets-remote-clients-crash-http/</guid><description>&lt;ul>
&lt;li>&lt;strong>Engineer — Plan:&lt;/strong> XQUIC is Alibaba&amp;rsquo;s QUIC/HTTP/3 library — audit whether it&amp;rsquo;s in your stack (Alibaba Cloud, CDN edge, or any Go/C++ HTTP/3 service built on it); no patch exists yet, so consider disabling HTTP/3 endpoints or adding rate-limiting on QPACK traffic as interim mitigation. No KEV or EPSS signal, but a zero-auth 260-byte crash with no malformed packets is trivially weaponizable.&lt;/li>
&lt;li>&lt;strong>SOC/IR — Learn:&lt;/strong> No active exploitation or IOCs reported; the attack surface is interesting for future detection rule design around anomalous HTTP/3 QPACK request volumes causing server restarts, but there is nothing to hunt today.&lt;/li>
&lt;li>&lt;strong>Leader — Skip&lt;/strong>&lt;/li>
&lt;/ul></description></item></channel></rss>