XRING in XQUIC: a flaw that can take down HTTP/3 servers without malicious packets

Colleagues, I’d like to draw attention to a cybersecurity case: XQUIC, Alibaba’s library for QUIC and HTTP/3, has an XRING vulnerability.
The mechanism is straightforward, yet dangerous: a remote client can crash the server with ordinary, legitimate QPACK traffic. No authentication or malicious packets are required.
All releases up to and including v1.9.4 are affected. At the time of publication, there is no fix or CVE.
A temporary mitigation is to disable the QPACK dynamic table or remove HTTP/3 altogether.
Why it matters: a single arithmetic error can lead to denial of service even without an overt attack.
Have you already checked your HTTP/3 services for risks like this?
#cybersecurity #HTTP3 #QUIC #vulnerability


Latest comments
No comments yet.