XRING: An unpatched DoS flaw in Alibaba’s XQUIC library

14 Jul 2026
XRING An unpatched DoS flaw in Alibaba’s XQUIC

A FoxIO researcher disclosed a vulnerability labeled as XRING in Alibaba’s XQUIC library that can cause HTTP/3 services to become unresponsive. The vulnerability needs no login or malformed packets to take the server process down.

 

Through this blog, we will understand what the XRING flaw is about and some of the security actions that organizations can take to prevent/respond to the threat.  

About the vulnerability

Vendor + component affected 

Potentially exposed environments 

About  

Versions affected 

Alibaba + 

 

XQUIC (HTTP/3/QUIC library) 

 

 

 

 

 

 

Any server that embeds XQUIC and serves HTTP/3 with the default QPACK settings 

A remote Denial of Service vulnerability  

Every release through v1.9.4 

What can attackers do with the vulnerability?

Since very little is required to trigger XRING and every byte an attacker sends is protocol-legal, attackers are using the vulnerability to crash servers without raising alarms.

 

It is a challenge for defenders because the flaw cannot be filtered by any signature-based detection, and the attack requires no privileged position, no prior reconnaissance except confirming HTTP/3 over XQUIC, and no infrastructure other than a single client opening a QUIC connection.

 

Attackers can exploit the vulnerability to:

 

  • Quickly carry out DoS attacks without much effort or raising alarms
  • Crash HTTP/3 servers by sending 260 bytes of ordinary QPACK traffic
  • Target vulnerable third party vendors

SharkStriker’s recommendations

 

  • Identify systems using XQUIC.
  • Disable HTTP/3 if not required.
  • Restrict access to HTTP/3 services.
  • Apply the vendor patch when released.

SharkStriker’s actions

  • Assessed the vulnerability.
  • Issued a security advisory.
  • Recommended interim mitigations

Get in Touch With us

We have explored what risk tolerance and risk appetite are and how important they are together in helping businesses align cybersecurity with their business goals. It can help CISOs, and C-suite make informed investment decisions for cybersecurity.

LEARN MORE