Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
XRING Flaw in XQUIC Poses Risk to HTTP/3 Servers

XRING Flaw in XQUIC Poses Risk to HTTP/3 Servers

Posted on July 10, 2026 By CWS

A vulnerability in XQUIC, Alibaba’s QUIC and HTTP/3 library, has been identified by FoxIO researcher Sébastien Féry, allowing remote clients to crash servers using normal traffic. Known as XRING, this flaw requires no authentication or malformed packets, making it a significant threat to any server deploying the library.

Widespread Impact on Servers

XQUIC, a widely used open-source library, is embedded in various servers, including Alibaba’s Tengine, which supports major sites like Taobao and Alipay. The flaw affects every version through v1.9.4, with no patch available as of July 10. Until a fix is released, operators are advised to disable QPACK’s dynamic table by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or to cease HTTP/3 support altogether.

Technical Details of the Vulnerability

The XRING flaw resides in the way HTTP/3 compresses headers with QPACK, a system designed to reduce redundant header transmission. XQUIC utilizes a ring buffer to store data, but an error occurs when resizing this buffer. This results in an incorrect calculation of the memory copy length, potentially leading to a buffer overflow. Although the bug was caught by security measures in Ubuntu’s glibc, the risk of memory corruption remains.

The vulnerability has been present since XQUIC’s initial public release in January 2022, and a proof of concept is already available. The flaw is part of a broader trend of remote crashes in HTTP/2 and HTTP/3 technologies, highlighting the need for robust security in these protocols.

Responses and Future Outlook

Despite multiple disclosure attempts by FoxIO, Alibaba had not responded by the time the information was made public. The security industry continues to monitor for potential exploitation in the wild. The Hacker News is seeking clarification from Alibaba regarding any forthcoming fixes or CVEs and whether the flaw has been actively exploited.

This incident underscores the critical nature of addressing vulnerabilities in widely used open-source software. As the industry awaits a resolution, it serves as a reminder for organizations to remain vigilant and proactive in their cybersecurity measures.

The Hacker News Tags:Alibaba, CVE, denial of service, FoxIO, header compression, HTTP/3 servers, open-source vulnerability, QPACK, remote crash, server crash, Tengine, web security, XQUIC vulnerability, XRING flaw

Post navigation

Previous Post: Odyssey Stealer Targets macOS: Global Crypto Threat
Next Post: Cyberattacks on Pakistani Police by China, India Hackers

Related Posts

Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks The Hacker News
Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat Fake Booking Emails Redirect Hotel Staff to Fake BSoD Pages Delivering DCRat The Hacker News
SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw The Hacker News
DarkSword iOS Kit Exploits Multiple Flaws for Device Control DarkSword iOS Kit Exploits Multiple Flaws for Device Control The Hacker News
New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally New Supply Chain Malware Operation Hits npm and PyPI Ecosystems, Targeting Millions Globally The Hacker News
Phishing Campaign Impersonates CERT-UA to Spread Malware Phishing Campaign Impersonates CERT-UA to Spread Malware The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed
  • Windows Shortcuts Exploit PowerShell for Remote Attacks
  • Okta Alerts on Vishing Threat to Microsoft 365 Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Critical GNU Guix Vulnerabilities Permit Remote Attacks
  • DHS Database Breach and Adobe’s Security Enhancements
  • WhatsApp-to-Host Attack via OpenClaw Flaws Detailed
  • Windows Shortcuts Exploit PowerShell for Remote Attacks
  • Okta Alerts on Vishing Threat to Microsoft 365 Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark