A researcher has disclosed an unpatched denial-of-service flaw in XQUIC, Alibaba’s open-source QUIC and HTTP/3 library, that lets any remote client crash a server using nothing more than legitimate protocol traffic.

The vulnerability, nicknamed XRING, was disclosed on July 8 by FoxIO researcher Sébastien Féry. According to Féry, the root cause is a single incorrect variable reference on one line of code within XQUIC’s handling of QPACK, the header compression scheme used in HTTP/3.

What makes XRING notable is how little it takes to trigger. There is no need for authentication, no malformed or malicious packets, and no complex exploit chain. Féry says roughly 260 bytes of ordinary, protocol-compliant QPACK traffic is enough to crash an affected server. Because the traffic is well-formed and legal under the HTTP/3 spec, standard input validation and packet inspection are unlikely to catch or block an attack in progress.

Why This Matters

XQUIC is Alibaba’s implementation of QUIC and HTTP/3, and libraries like it often get embedded in downstream services, CDNs, and edge infrastructure that handle high volumes of client connections. A remote, unauthenticated crash primitive against such infrastructure is a serious operational risk even without data exposure, since it can be used to knock services offline with minimal attacker effort or cost.

The lack of a patch at time of disclosure leaves operators running XQUIC-based HTTP/3 services with no official fix to apply. That places the burden on defenders to identify where XQUIC is deployed in their stack and consider interim mitigations, such as rate-limiting QUIC/HTTP/3 connections, monitoring for abnormal QPACK traffic patterns, or restricting exposure of affected services until a fix is released.

What Security Teams Should Do

  • Inventory services and products that embed XQUIC for HTTP/3 support.
  • Monitor for unexpected crashes or restarts on HTTP/3-facing servers that could indicate exploitation attempts.
  • Apply network-level mitigations such as connection rate limiting where XQUIC cannot be immediately isolated.
  • Track upstream XQUIC repositories and vendor advisories for an official patch.

No CVE identifier was included in the initial disclosure, and further technical details on the exact code path are expected as the issue receives more scrutiny from the QUIC and HTTP/3 developer community.