Full Report
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server
Analysis Summary
# Vulnerability: XRING - Remote Denial of Service in XQUIC
## CVE Details
- **CVE ID**: Not yet assigned (as of July 10, 2026)
- **CVSS Score**: Estimated High (Significant Availability impact)
- **CWE**: CWE-191 (Integer Underflow), CWE-121 (Stack-based Buffer Overflow) / CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products**: XQUIC (Alibaba's QUIC and HTTP/3 library), Tengine web server (Nginx-based).
- **Versions**: All releases up to and including v1.9.4.
- **Configurations**: Any server embedding XQUIC and serving HTTP/3 with default QPACK settings enabled.
## Vulnerability Description
The vulnerability, nicknamed **XRING**, resides in the QPACK header compression implementation. Specifically, the flaw is located in the ring buffer management logic (`xqc_ring_mem.c`) used for the QPACK dynamic table.
When a client requests to resize the dynamic table, the library must migrate data to a new buffer. The code contains a logic error in one of four migration cases: it calculates the "tail" data size using the *new* buffer's capacity instead of the *old* one. This results in an overcounted value. When this overcounted value is used in a subtraction to determine the remaining copy length, an **integer underflow** occurs. For an unsigned `size_t` variable, this results in a massive positive integer, leading to a massive out-of-bounds memory copy that crashes the process.
## Exploitation
- **Status**: PoC available; disclosed by FoxIO researcher Sébastien Féry. No confirmed exploitation in the wild.
- **Complexity**: Low (requires only ~260 bytes of spec-compliant traffic).
- **Attack Vector**: Network (Remote, Unauthenticated).
## Impact
- **Confidentiality**: None (as currently demonstrated).
- **Integrity**: Unknown (Potential for memory corruption, though only a crash has been proven).
- **Availability**: High (A single burst of traffic can crash the server process).
## Remediation
### Patches
- **No patch is currently available.** The vendor (Alibaba) has reportedly not responded to disclosure attempts since April 2024.
### Workarounds
- **Disable QPACK Dynamic Table**: Set `SETTINGS_QPACK_MAX_TABLE_CAPACITY` to 0.
- **Disable HTTP/3**: Revert to HTTP/2 or HTTP/1.1 until a fix is released.
- **Compile with Protections**: Ensure binaries are compiled with `_FORTIFY_SOURCE=2` or similar memory protections to catch the length mismatch and prevent potential code execution (though the process will still crash).
## Detection
- **Indicators of Compromise**: Repeated, unexpected crashes of the XQUIC/Tengine process following short bursts of QPACK traffic on the HTTP/3 control stream.
- **Detection methods**: Monitor for unusual QPACK `Set Dynamic Table Capacity` instructions, specifically those that trigger rapid resizing of the buffer from a wrapped state.
## References
- **FoxIO Research**: hxxps[://]foxio[.]io/blog/xring-crashing-xquic-with-spec-compliant-qpack-instructions
- **Public PoC**: hxxps[://]github[.]com/FoxIO-LLC/xring-poc
- **Vulnerable Source Code**: hxxps[://]github[.]com/alibaba/xquic/blob/main/src/common/utils/ringmem/xqc_ring_mem.c