Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
A security researcher has disclosed an unpatched vulnerability in XQUIC, Alibaba's open-source implementation of the QUIC transport protocol. The flaw, dubbed XRING, affects the XQUIC library and allows remote clients to crash HTTP/3 servers. The vulnerability can be triggered by sending a specially crafted packet to a server using XQUIC, causing a denial-of-service (DoS) condition. The researcher reported the issue to Alibaba but the vulnerability remains unpatched at the time of disclosure. XQUIC is used in various Alibaba services and by other organizations for HTTP/3 and QUIC support. The disclosure highlights the risk of unpatched vulnerabilities in critical networking libraries.
Unpatched XRING flaw in XQUIC enables remote DoS attacks on HTTP/3 servers.