"It needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server process down," FoxIO researcher Sébastien Féry wrote on July 8, describing a fault he has nicknamed XRING.
How XRING crashes HTTP/3 servers
XRING is a single arithmetic and indexing error in XQUIC, Alibaba's open-source QUIC and HTTP/3 library. The bug appears in the logic that resizes the QPACK dynamic table's ring buffer: when the client requests growth of the table, XQUIC allocates a larger buffer and copies the old data into it. The copy routine has four cases depending on whether data wraps in the old and new buffers; in one case the code measures the leftover tail against the new buffer's capacity instead of the old one and overcounts.
Féry illustrated the mistake with concrete numbers: grow a 64‑byte table with the write cursor near the end, then resize to 65, and XQUIC will calculate there are 70 tail bytes to move when there are actually 6. That erroneous value flows into a memory copy calculation. Subtracting the overcount from a smaller value produces an unsigned size_t underflow, wrapping to a near‑maximum length and causing the copy to run off the end of the destination buffer.
In FoxIO's release build on Ubuntu 26.04, glibc's _FORTIFY_SOURCE=2 detected the bad length and terminated the process. Without that protection the copy writes out of bounds. Féry demonstrated a crash but did not claim arbitrary code execution.
Who and what are exposed
XQUIC is open-source, and FoxIO says every XQUIC release through v1.9.4, the latest at the time of reporting, is affected. Any server that embeds XQUIC and serves HTTP/3 with the default QPACK settings is therefore exposed. FoxIO explicitly calls out Tengine — Alibaba's Nginx‑based web server — which it says fronts Alibaba cloud and CDN properties including Taobao and Alipay.
The default XQUIC configuration advertises a 16 KiB dynamic-table limit. The attack sequence Féry used stays inside QPACK's protocol rules and XQUIC's advertised limits, making the flaw broadly reachable so long as XQUIC is used with default settings.
Attack characteristics and proof-of-concept
XRING requires no authentication and no malformed packets. The public proof‑of‑concept uses only ordinary QPACK control traffic — about 260 bytes in FoxIO's demonstration — to drive the ring buffer into the wrapped layout that triggers the faulty branch. The payload sequences Féry cited ask for a 64‑byte table entry then a 65‑byte resize; the client must produce the particular wraparound layout that trips the bug.
FoxIO reported a remote crash and published a proof‑of‑concept. It says it has found no evidence of exploitation in the wild and did not assert that the heap write could be elevated to code execution.
Mitigations and the disclosure timeline
As of July 10 there was no fixed XQUIC release and no CVE assigned. FoxIO says it followed the project's security policy: an initial email to Alibaba on April 7 with four follow‑ups through May 9, then public disclosure on July 8. The Hacker News has asked Alibaba whether a fix and a CVE are coming and whether FoxIO's messages reached the security team; it has also asked FoxIO whether the flaw has been exploited and whether the heap write can be pushed past a crash.
Until a fix ships, operators have two practical mitigations: set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which disables QPACK's dynamic table, or drop HTTP/3 support entirely.
Related incidents: CVE-2026-42530, the HTTP/2 Bomb, and recent QUIC fixes
- Three weeks before XRING, The Hacker News reported a use‑after‑free in NGINX's HTTP/3 module (CVE-2026-42530) reachable through the same QPACK encoder stream that XRING abuses — a different bug class on the same attack surface.
- In June, the "HTTP/2 Bomb" caused remote denial of service against Nginx, Apache, IIS, and Envoy by abusing HPACK, the header compression used in HTTP/2, the predecessor to QPACK.
- In February, HAProxy issued patches for two QUIC crashes, including an integer underflow during token validation — the same class of arithmetic error behind XRING, though that HAProxy bug required malformed packets rather than entirely legal input.
XRING is, in the record FoxIO presents, a single misplaced capacity check with outsized consequences: legal QPACK traffic, routine settings, and an underflow that can terminate a server process. With a proof‑of‑concept public, no patch available through v1.9.4 and no CVE assigned as of July 10, operators running XQUIC‑based HTTP/3 servers must choose between immediate mitigations and the operational cost of disabling HTTP/3 while waiting for a formal fix and response from the project maintainers.




