Unpatched XRING bug in XQUIC allows remote crash
🛡️ A single wrong variable in Alibaba's XQUIC library lets any remote client crash servers using default QPACK settings with ordinary HTTP/3 traffic. FoxIO researcher Sébastien Féry disclosed the XRING flaw on July 8 and showed a crash triggered by about 260 bytes of legal QPACK frames. All XQUIC releases through v1.9.4 are affected; no patch or CVE was available as of July 10. Operators can mitigate by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or disabling HTTP/3 until a fix ships.
