- A remote crash vulnerability dubbed XRING affects all versions of Alibaba’s XQUIC library, disclosed July 8.
- The flaw requires only 260 bytes of legitimate QPACK traffic, no malformed packets or authentication.
- No patch exists; operators can disable QPACK’s dynamic table or drop HTTP/3 support.
- The bug is an integer underflow during ring buffer resizing, similar to a recent HAProxy QUIC crash.
On July 8, FoxIO researcher Sébastien Féry disclosed a vulnerability in Alibaba’s XQUIC library that lets any remote client crash a server using only compliant HTTP/3 traffic.
The flaw, named XRING, requires no login and no malformed packets; about 260 bytes of ordinary QPACK instructions take down the server process. XQUIC is open-source, so any server embedding it with default QPACK settings is exposed, including Tengine, Alibaba’s Nginx-based web server that fronts Taobao and Alipay.
Every release through v1.9.4 is affected, and as of July 10 there is no fixed release or CVE. Operators can set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 or drop HTTP/3 entirely.
The bug lives in how HTTP/3 compresses headers using QPACK. XQUIC stores the table’s bytes in a ring buffer; when the client asks to grow the table, the code incorrectly sizes leftover tail data against the new buffer’s capacity instead of the old one. Consequently, a grow from 64 to 65 bytes with the write cursor near the end causes an overcount of tail bytes, leading to an unsigned integer underflow that wraps to near-maximum and triggers an out-of-bounds memory copy. FoxIO demonstrated a crash but did not test further exploitation.
None of the attack values break QPACK rules; XQUIC advertises a 16 KiB dynamic-table limit by default, and the payload asks for 64 then 65 bytes. A proof of concept is public. XRING is the latest in a string of remote crashes in HTTP/2 and HTTP/3 stacks, following a use-after-free in NGINX’s HTTP/3 module (CVE-2026-42530) and HAProxy’s patched QUIC crashes in February. FoxIO says it emailed Alibaba on April 7 through the project’s security policy, then followed up four more times without an answer before going public.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
