Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
XRING Flaw in XQUIC Poses Risk to HTTP/3 Servers

XRING Flaw in XQUIC Poses Risk to HTTP/3 Servers

Posted on July 10, 2026 By CWS

A vulnerability in XQUIC, Alibaba’s QUIC and HTTP/3 library, has been identified by FoxIO researcher Sébastien Féry, allowing remote clients to crash servers using normal traffic. Known as XRING, this flaw requires no authentication or malformed packets, making it a significant threat to any server deploying the library.

Widespread Impact on Servers

XQUIC, a widely used open-source library, is embedded in various servers, including Alibaba’s Tengine, which supports major sites like Taobao and Alipay. The flaw affects every version through v1.9.4, with no patch available as of July 10. Until a fix is released, operators are advised to disable QPACK’s dynamic table by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or to cease HTTP/3 support altogether.

Technical Details of the Vulnerability

The XRING flaw resides in the way HTTP/3 compresses headers with QPACK, a system designed to reduce redundant header transmission. XQUIC utilizes a ring buffer to store data, but an error occurs when resizing this buffer. This results in an incorrect calculation of the memory copy length, potentially leading to a buffer overflow. Although the bug was caught by security measures in Ubuntu’s glibc, the risk of memory corruption remains.

The vulnerability has been present since XQUIC’s initial public release in January 2022, and a proof of concept is already available. The flaw is part of a broader trend of remote crashes in HTTP/2 and HTTP/3 technologies, highlighting the need for robust security in these protocols.

Responses and Future Outlook

Despite multiple disclosure attempts by FoxIO, Alibaba had not responded by the time the information was made public. The security industry continues to monitor for potential exploitation in the wild. The Hacker News is seeking clarification from Alibaba regarding any forthcoming fixes or CVEs and whether the flaw has been actively exploited.

This incident underscores the critical nature of addressing vulnerabilities in widely used open-source software. As the industry awaits a resolution, it serves as a reminder for organizations to remain vigilant and proactive in their cybersecurity measures.

The Hacker News Tags:Alibaba, CVE, denial of service, FoxIO, header compression, HTTP/3 servers, open-source vulnerability, QPACK, remote crash, server crash, Tengine, web security, XQUIC vulnerability, XRING flaw

Post navigation

Previous Post: Odyssey Stealer Targets macOS: Global Crypto Threat
Next Post: Cyberattacks on Pakistani Police by China, India Hackers

Related Posts

Filling the Most Common Gaps in Google Workspace Security Filling the Most Common Gaps in Google Workspace Security The Hacker News
Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics Russian Hackers Exploit Email and VPN Vulnerabilities to Spy on Ukraine Aid Logistics The Hacker News
Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access Hackers Exploit SharePoint Zero-Day Since July 7 to Steal Keys, Maintain Persistent Access The Hacker News
SideCopy Targets Afghan Finance Ministry with Xeno RAT SideCopy Targets Afghan Finance Ministry with Xeno RAT The Hacker News
How Attackers Exploit SOC Workloads Beyond Phishing Emails How Attackers Exploit SOC Workloads Beyond Phishing Emails The Hacker News
Iranian Infy Hackers Reactivate C2 Servers After Internet Blackout Iranian Infy Hackers Reactivate C2 Servers After Internet Blackout The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical Linux FUSE Flaw Allows Root Access
  • Laser Pulse Vulnerability in Tangem Wallets Exposes Security Risks
  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical Linux FUSE Flaw Allows Root Access
  • Laser Pulse Vulnerability in Tangem Wallets Exposes Security Risks
  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark