XRING: An unpatched DoS flaw in Alibaba’s XQUIC library
14 Jul 2026
A FoxIO researcher disclosed a vulnerability labeled as XRING in Alibaba’s XQUIC library that can cause HTTP/3 services to become unresponsive. The vulnerability needs no login or malformed packets to take the server process down.
Through this blog, we will understand what the XRING flaw is about and some of the security actions that organizations can take to prevent/respond to the threat.
About the vulnerability
|
Vendor + component affected |
Potentially exposed environments |
About |
Versions affected |
|
Alibaba +
XQUIC (HTTP/3/QUIC library)
|
Any server that embeds XQUIC and serves HTTP/3 with the default QPACK settings |
A remote Denial of Service vulnerability |
Every release through v1.9.4 |
What can attackers do with the vulnerability?
Since very little is required to trigger XRING and every byte an attacker sends is protocol-legal, attackers are using the vulnerability to crash servers without raising alarms.
It is a challenge for defenders because the flaw cannot be filtered by any signature-based detection, and the attack requires no privileged position, no prior reconnaissance except confirming HTTP/3 over XQUIC, and no infrastructure other than a single client opening a QUIC connection.
Attackers can exploit the vulnerability to:
- Quickly carry out DoS attacks without much effort or raising alarms
- Crash HTTP/3 servers by sending 260 bytes of ordinary QPACK traffic
- Target vulnerable third party vendors
SharkStriker’s recommendations
- Identify systems using XQUIC.
- Disable HTTP/3 if not required.
- Restrict access to HTTP/3 services.
- Apply the vendor patch when released.
SharkStriker’s actions
- Assessed the vulnerability.
- Issued a security advisory.
- Recommended interim mitigations