Find notable cyber news and cases, enriched with sources, timelines, and signals.

XQUIC XRING remote crash security flaw

Vulnerability
First reported
Last updated
Happening score
H score 1
1 unique sources, 1 articles

Summary

Hide ▲

XQUIC's XRING flaw leaves HTTP/3 servers exposed to remote crashes through valid QPACK traffic, with no patch available. The bug needs no login and no malformed packets, and FoxIO says about 260 bytes of ordinary traffic can take the server process down. Any server embedding XQUIC and serving HTTP/3 with default QPACK settings is exposed, including embedders such as Tengine.

Related Happenings

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...

GoBruteforcer botnet expands against crypto and blockchain project databases

Malware Activity
H score27 First: 12.01.2026 12:48 Last: 12.01.2026 12:48 Sources 1

About this happening: The **GoBruteforcer** botnet has entered a **new wave of attacks** that targets **cryptocurrency and blockchain project databases** and turns **Linux servers** into credential-bru...

Timeline

  1. 10.07.2026 14:47 2 articles · 2h ago

    FoxIO discloses XRING in XQUIC

    Initial Disclosure

    FoxIO researcher Sébastien Féry disclosed XRING in Alibaba's XQUIC on July 8, identifying a one-line bug in the QUIC and HTTP/3 library that lets a remote client crash an exposed server with legal QPACK traffic, no login, and no malformed packets. FoxIO says every release through v1.9.4 is affected, there is no fixed release or CVE as of July 10, and operators can mitigate exposure by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or disabling HTTP/3.

    Show sources