XQUIC XRING remote crash security flaw
Vulnerability
Summary
Hide ▲
Show ▼
XQUIC's XRING flaw leaves HTTP/3 servers exposed to remote crashes through valid QPACK traffic, with no patch available. The bug needs no login and no malformed packets, and FoxIO says about 260 bytes of ordinary traffic can take the server process down. Any server embedding XQUIC and serving HTTP/3 with default QPACK settings is exposed, including embedders such as Tengine.
Related Happenings
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
GoBruteforcer botnet expands against crypto and blockchain project databases
Malware Activity
H score27
First: 12.01.2026 12:48
Last: 12.01.2026 12:48
Sources 1
About this happening:
The **GoBruteforcer** botnet has entered a **new wave of attacks** that targets **cryptocurrency and blockchain project databases** and turns **Linux servers** into credential-bru...
GoBruteforcer botnet expands against crypto and blockchain project databases
Malware ActivityAbout this happening: The **GoBruteforcer** botnet has entered a **new wave of attacks** that targets **cryptocurrency and blockchain project databases** and turns **Linux servers** into credential-bru...
Timeline
-
10.07.2026 14:47 2 articles · 2h ago
FoxIO discloses XRING in XQUIC
Initial DisclosureFoxIO researcher Sébastien Féry disclosed XRING in Alibaba's XQUIC on July 8, identifying a one-line bug in the QUIC and HTTP/3 library that lets a remote client crash an exposed server with legal QPACK traffic, no login, and no malformed packets. FoxIO says every release through v1.9.4 is affected, there is no fixed release or CVE as of July 10, and operators can mitigate exposure by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or disabling HTTP/3.
Show sources
- Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers — thehackernews.com — 10.07.2026 14:47
- Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers — thehackernews.com — 10.07.2026 14:47