Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
Overview
A flaw known as XRING has been discovered in XQUIC, Alibaba's library for QUIC and HTTP/3. This vulnerability allows any remote client to crash servers using a simple sequence of legal traffic, requiring no authentication or malformed packets. The issue stems from a single incorrect variable in the code, and it takes only about 260 bytes of standard QPACK traffic to trigger the crash. As of now, there is no patch available to fix this problem. Researchers have flagged this vulnerability as a significant risk, especially for servers relying on XQUIC for HTTP/3 communication, as it could lead to downtime and service disruption.
Key Takeaways
- Affected Systems: XQUIC library used in HTTP/3 servers
- Timeline: Disclosed on July 8
Original Article Summary
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server
Impact
XQUIC library used in HTTP/3 servers
Exploitation Status
The exploitation status is currently unknown. Monitor vendor advisories and security bulletins for updates.
Timeline
Disclosed on July 8
Remediation
Not specified
Additional Information
This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.
Related Topics: This incident relates to Vulnerability, Patch.