Connect with us

CyberSecurity

A Single Line of Bad Code: How XRING in XQUIC Lets Anyone Crash HTTP/3 Servers

Published

on

XRING flaw XQUIC

The Bug That Won’t Patch

A single wrong variable on one line. That’s all it takes. Alibaba’s XQUIC library — the backbone of their HTTP/3 and QUIC implementations — contains a vulnerability that lets any remote client crash the server stone dead. No login required. No malformed packets. Just 260 bytes of perfectly legal QPACK traffic.

The flaw, disclosed July 8 by FoxIO researcher Sébastien Féry, carries the nickname XRING. And as of today, there is no patch.

Think about that. A short burst of ordinary data, and the server goes down. This isn’t some complex exploit chain requiring months of preparation. It’s a logic error, plain and simple.

How XRING Works: The 260-Byte Hammer

Féry’s analysis pinpoints the problem to a single line in XQUIC’s source code. The library mishandles a specific state transition during QPACK — the header compression protocol used in HTTP/3. When a remote client sends a carefully crafted but entirely standards-compliant sequence of QPACK instructions, the server’s internal state machine enters a loop it can’t escape.

The result? A crash. A denial of service. And the attacker doesn’t need credentials, doesn’t need to forge packets, doesn’t need anything except a network connection and about 260 bytes of data.

For context, that’s smaller than the average email. You could send it from a phone. From a compromised IoT device. From a script kiddie’s laptop in a coffee shop.

Why QPACK Matters Here

QPACK is HTTP/3’s answer to HPACK, the header compression scheme used in HTTP/2. It’s designed to reduce latency by allowing encoder and decoder to maintain separate dynamic tables. But when the synchronization between those tables breaks — as it does in XQUIC’s implementation — the results are catastrophic.

Féry’s disclosure notes that the bug exists in the xquic repository’s handling of QPACK’s insert with name reference instruction. A specific sequence triggers an integer underflow that spirals into a null pointer dereference. Boom.

Who’s Affected? More Than You’d Think

XQUIC isn’t some obscure hobby project. It’s Alibaba’s production-grade QUIC implementation, used across the company’s cloud services and CDN infrastructure. That means any service built on Alibaba Cloud that exposes an HTTP/3 endpoint could be vulnerable.

And because XQUIC is open source, it’s been forked, integrated, and adapted by countless projects. The real scope of affected deployments is unknown — which makes the lack of a patch all the more concerning.

Féry responsibly disclosed the flaw to Alibaba’s security team before going public. The clock is ticking. Every day without a fix is a day where any attacker with a few bytes of bandwidth can knock servers offline.

No Patch, No Workaround — What Now?

As of publication, Alibaba has not released a patch for XRING. There is no official workaround either. If you’re running XQUIC in production, your options are limited.

Some teams might consider disabling HTTP/3 support entirely, falling back to HTTP/2 or HTTP/1.1. That’s a drastic step — HTTP/3 offers real performance gains, especially on lossy networks — but it might be the only way to guarantee safety until a fix lands.

Others could implement a rate limiter on QPACK traffic, though that’s a blunt instrument. The attack uses so little data that even aggressive throttling might not catch it before the server crashes.

Monitoring for unusual QPACK patterns is another possibility, but it’s reactive. By the time you detect the attack, the server is already down.

The Bigger Picture: HTTP/3’s Growing Pains

XRING isn’t a condemnation of HTTP/3 itself. The protocol is solid. But its implementations are still maturing. QUIC and HTTP/3 introduce new complexity — new state machines, new compression schemes, new attack surfaces. Bugs like this are inevitable.

What’s not inevitable is leaving them unpatched. Alibaba needs to move fast. Every day of delay turns XRING from a researcher’s curiosity into a reliable weapon for anyone with malicious intent.

For now, the advice is simple: watch the XQUIC repository. If you use it, prepare to deploy a patch the moment one drops. And maybe start thinking about whether you can afford to run HTTP/3 without one.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Inside DEBULL: How Threat Actors Weaponize Microsoft’s Device-Code Flow to Hijack M365 Accounts

Published

on

device-code phishing

The Attack That Doesn’t Need a Fake Login Page

Most phishing attacks rely on a convincing replica of a login page. The user types credentials, and the attacker grabs them. Simple. But a campaign spotted by ZeroBEC between late June and early July 2026 took a different approach. It didn’t need a fake Microsoft password page at all.

Instead, attackers pushed victims into the legitimate Microsoft device login experience. The trick? Weaponizing a feature designed for convenience: device-code flow, also known as device-code authentication.

The tooling behind this campaign, tracked as DEBULL, represents a growing threat to Microsoft 365 (M365) accounts. And the lures? They look like collaboration invites — the kind employees click without thinking twice.

How Device-Code Flow Becomes a Weapon

Device-code flow was built for devices that can’t handle a full browser login — smart TVs, IoT gadgets, or command-line tools. The user gets a code, enters it on a separate device, and authenticates. It’s useful. But it also has a dangerous property: the authentication happens on the attacker’s session, not the victim’s.

Here’s how the DEBULL campaign exploits that:

  • The attacker initiates a device-code authentication request for a legitimate M365 application.
  • The victim receives a lure — typically an email or message about a shared document, calendar invite, or team collaboration — that directs them to microsoft.com/devicelogin.
  • The victim enters the code shown in the lure. This ties the attacker’s session to the victim’s approval.
  • The attacker now holds a valid token. They can access the victim’s email, files, and contacts without ever knowing the password.

No fake page. No stolen password. Just a clever abuse of a legitimate flow. The victim thinks they’re approving access to a shared file. In reality, they’re handing over their account.

Collaboration Lures: The Hook That Works

ZeroBEC’s analysis highlights that the campaign leaned heavily on collaboration-themed phishing lures. These aren’t generic “your account has been compromised” scare tactics. They’re specific: a shared OneNote notebook, a Teams meeting invitation, a document from a colleague.

For someone working in a busy office, that’s plausible. You get a message saying “Sarah shared a file with you” — you click. The page looks official because it is official. Microsoft’s own login flow. The only difference is the attacker chose the code.

This is social engineering at its most surgical. The attacker doesn’t need to spoof Microsoft’s UI. They just need the victim to trust the context of the message.

DEBULL Tooling: What Makes It Different

The name DEBULL refers to the specific tooling used to automate this attack. Unlike manual device-code phishing, DEBULL operates at scale. It can generate device codes, send lures, and harvest tokens automatically.

Key characteristics of DEBULL include:

  • Automated code generation – The tool requests multiple device codes from Microsoft’s OAuth 2.0 endpoint, cycling through them to avoid detection.
  • Integration with email or messaging platforms – It sends lures that appear to come from trusted collaboration services.
  • Token harvesting – Once a victim enters the code, DEBULL captures the resulting access token and refresh token, granting persistent access.

This isn’t a one-off phishing kit. It’s a modular framework designed for repeated use. And because the authentication happens on Microsoft’s own servers, traditional security filters — the ones that flag fake login pages — don’t catch it.

Why This Is Hard to Detect

Device-code flow abuse is notoriously tricky to stop. Here’s why:

  • No phishing domain – The victim never leaves Microsoft’s legitimate site. URL filters see login.microsoftonline.com and allow it.
  • No credential entry – Passwords aren’t typed or stolen. The attacker authenticates using the victim’s approval, not their password.
  • Tokens live longer – Refresh tokens can remain valid for days or weeks, even if the victim changes their password.

ZeroBEC noted that the campaign targeted M365 accounts specifically, likely because of the rich data inside: email threads, SharePoint files, Teams chats. Once inside, an attacker can pivot to business email compromise (BEC) or data exfiltration.

Organizations relying solely on password-based security miss this entirely. Multi-factor authentication (MFA) helps — but only if the MFA challenge is tied to the legitimate session. In device-code flow, the MFA prompt appears on the attacker’s device, not the victim’s.

How to Defend Against Device-Code Phishing

There’s no single fix, but several measures reduce the risk:

  • Disable device-code flow – For most users, device-code authentication isn’t necessary. Administrators can block it in Azure AD conditional access policies.
  • Educate users – Train employees to recognize that entering a code on microsoft.com/devicelogin grants access to someone else. If they didn’t initiate the request, they shouldn’t enter the code.
  • Monitor for unusual token activity – Security teams can audit token grants and look for device-code authentications from unexpected locations or devices.
  • Use token binding – Where possible, enforce token binding to tie tokens to specific devices, making stolen tokens harder to reuse.

Microsoft has also taken steps to limit abuse, including rate-limiting device-code requests and adding warnings in the device-login interface. But attackers adapt. DEBULL is proof that device-code phishing isn’t going away.

The bottom line? The most dangerous attacks don’t always look like attacks. Sometimes they look like a shared file from a colleague — and a code that seems harmless to type.

Continue Reading

CyberSecurity

Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Published

on

Bad Epoll exploit

A Dangerous Linux Flaw Just Got Easier to Weaponize

Security teams just got a new headache. A working proof-of-concept exploit for a nasty Linux kernel bug called Bad Epoll is now circulating publicly. Tracked as CVE-2026-46242 with a CVSS score of 7.8, this flaw lets any unprivileged process on a vulnerable system claw its way up to root privileges. Desktops, servers, and even Android phones are in the crosshairs.

The exploit code, published by researcher Jaeyoung Chung from Seoul National University’s Computer Security Lab, turns a tricky race condition into a reliable weapon. For organizations that haven’t patched yet, the clock is now ticking much louder.

What Is Bad Epoll? A Race Condition in the Kernel’s Event Engine

To understand the danger, you need to know about epoll. It’s the Linux kernel’s high-performance I/O event notification facility. Instead of forcing a program to repeatedly check dozens or hundreds of file descriptors (a process called polling), the kernel maintains an epoll instance. That instance keeps an interest list and a ready list, efficiently telling the program which file descriptors have events waiting.

Bad Epoll is a close-vs-close race condition buried in epoll’s file-release path. The result? A classic use-after-free bug. Here’s the gist: if one epoll list of file descriptors is monitoring another, and both are closed at almost the same instant, the kernel frees one memory object while the other continues trying to write to it. That’s a recipe for memory corruption — and a golden ticket for attackers.

How the Exploit Works: From Memory Leak to Root Shell

Chung’s Bad Epoll exploit doesn’t just crash the system. It’s carefully engineered for privilege escalation. First, it triggers the race condition to leak kernel memory. Then it hijacks an indirect call, taking control of the CPU’s instruction pointer register. From there, a Return-Oriented Programming (ROP) chain does the rest, ultimately granting root access to the attacker.

This is not a theoretical exercise. The Bad Epoll exploit code is a working weapon, and it’s now in the public domain.

A Bug That Was Hard to Find — and Harder to Fix

Bad Epoll has a curious backstory. It was introduced in 2023, in the same kernel commit that brought us CVE-2026-43074 — another epoll race condition discovered by Anthropic’s Mythos AI. Why did Mythos miss Bad Epoll? Because once CVE-2026-43074 was patched, Bad Epoll stopped triggering KASAN (Kernel Address Sanitizer), the kernel’s dynamic memory error detector. The bug went silent, but it didn’t go away.

Fixing it wasn’t simple either. Chung notes that the maintainers’ first patch didn’t fully resolve the issue. A correct fix landed only two months after the initial report. For a kernel project that usually treats security bugs with extreme urgency, that’s a long time.

Which Systems Are at Risk?

Any Linux distribution running kernel version 6.4 or newer is vulnerable. That covers a huge swath of the modern Linux ecosystem. Google has also confirmed that Pixel 10 devices, which ship with kernel 6.6, are affected.

How to Protect Your Systems

  • Patch immediately. The fix is available in kernel versions 6.10 and later. Backports for older stable kernels are also rolling out. Check your distro’s security advisories.
  • Prioritize internet-facing servers and multi-user systems. Those are the most likely targets for local privilege escalation attacks.
  • Monitor for unusual activity. The Bad Epoll exploit leaves traces. Watch for unexpected kernel crashes or suspicious processes gaining elevated privileges.
  • Review your Android device update policy. Pixel 10 devices need the July 2026 security patch. Other Android vendors are pushing updates too.

For more on keeping your Linux systems secure, check out our guide on Linux kernel security best practices. And if you’re managing mobile devices, our Android enterprise security checklist is a good place to start.

The Bottom Line

The release of a public Bad Epoll exploit changes the risk equation. What was once a theoretical vulnerability is now a practical attack tool. Patching is no longer optional — it’s mandatory. The bug has a high severity score, a working exploit, and a broad attack surface. Organizations that delay are taking an unnecessary gamble.

Continue Reading

CyberSecurity

Estonia Is About to Give AI Agents Their Own State IDs. Here’s Why That Matters.

Published

on

Estonia AI agent IDs

The World’s Most Digital Nation Is Pushing Further

Estonia has long been the poster child for digital government. Citizens vote online, file taxes in minutes, and sign documents with a digital ID that’s been around since 2002. Now the Baltic nation is eyeing a new frontier: giving AI agents their own state-issued identities.

The idea is straightforward but radical. If an AI assistant can hold a verified state ID, it could interact with government portals on your behalf — filing forms, checking records, even applying for permits. Estonia’s government is actively exploring how to make this work, and the implications reach far beyond its 1.3 million residents.

“We’re looking at how to create a legal framework for AI agents to act as representatives,” said a senior official from Estonia’s e-Governance Academy in a recent briefing. The goal is to let citizens delegate routine bureaucratic tasks to software, securely and legally.

What Would a State ID for an AI Agent Actually Look Like?

Estonia’s current digital ID system is a cryptographic smart card (or mobile app) tied to a real person. An AI agent ID would likely follow a similar model but with key differences.

  • Limited authority: The agent would only act within strict permissions set by the human owner — no buying houses or signing marriage certificates without explicit approval.
  • Revocable: The human could cancel the agent’s ID at any time, similar to revoking a power of attorney.
  • Audit trail: Every action the AI takes would be logged and tied back to the human’s main identity, so accountability stays with the person.

This isn’t about giving AI “rights.” It’s about creating a verifiable digital proxy. The agent becomes a tool, not a legal person. Estonia’s e-Governance Academy is already drafting technical standards for how such IDs would be issued and verified.

Why Estonia? And Why Now?

Estonia isn’t doing this in a vacuum. The country’s X-Road data exchange layer already lets public and private sector systems talk securely. Its digital ID infrastructure is battle-tested — over 99% of public services are available online.

But the push for AI agent IDs comes from practical pressure. The same citizens who use AI assistants for shopping, scheduling, and email are starting to ask: why can’t my AI handle my taxes too? Estonia’s government, famously responsive to tech innovation, decided to answer that question before it became a problem.

There’s also a strategic angle. Estonia wants to remain the global benchmark for digital governance. If it can solve AI identity before larger nations do, it could export the model — just as it did with e-residency and digital signatures.

The Technical Hurdles

Building an AI agent ID isn’t just a legal exercise. The system must prevent fraud, impersonation, and runaway agents. Estonia is exploring blockchain-based audit logs and AI-specific authentication protocols. The agent’s ID would include a cryptographic key pair, but the private key would be held by a trusted hardware module — not the AI model itself.

“The AI doesn’t own its identity. It borrows it from a human,” explained a cybersecurity researcher at Tallinn University of Technology. “If the AI goes rogue, the human pulls the plug.”

What This Means for the Rest of the World

Estonia’s moves often serve as a proof of concept for larger countries. The European Union’s eIDAS regulation already sets cross-border digital identity standards. If Estonia successfully integrates AI agents into its national ID framework, other EU members may follow.

But the precedent cuts both ways. A state-issued AI ID could become a powerful tool for surveillance if safeguards aren’t built in. Privacy advocates warn that giving governments visibility into every AI action on a citizen’s behalf creates a detailed map of their digital life. Estonia’s transparency laws and strong data protection rules may mitigate this, but the model could be abused elsewhere.

There’s also the question of liability. If an AI agent files an incorrect tax return or accidentally reveals private data, who is responsible? Estonia is leaning toward a strict “human in the loop” model — the person must review and approve high-stakes actions. But for low-risk tasks like checking the status of a permit, the AI could act autonomously.

Will Other Countries Copy Estonia?

History suggests yes. Estonia’s e-residency program, launched in 2014, has been replicated by countries from Portugal to the United Arab Emirates. Its digital ID model influenced the design of India’s Aadhaar system and the UK’s Gov.uk Verify.

But AI agent IDs are trickier. They require a mature digital identity infrastructure, a legal framework for AI agency, and public trust in automated systems. Few countries have all three. Estonia does — for now.

Japan and Singapore are also experimenting with AI identity, but Estonia is the first to propose a formal state-issued ID for agents. If the pilot succeeds, expect a wave of similar proposals in Europe and beyond.

The Bigger Picture

This isn’t just about bureaucracy. Giving AI agents state IDs could fundamentally change how people interact with government. Instead of filling out forms, you’d tell your AI to handle it. Instead of remembering deadlines, your AI would remind you — or act automatically.

Estonia is betting that convenience will drive adoption, and that security can keep pace. The next 12 months will show whether that bet pays off. If it does, the little Baltic nation will have set a precedent that reshapes digital governance for decades.

Continue Reading

Trending