Unpatched XRING Flaw in Alibaba's XQUIC Allows Remote HTTP/3 Server Crashes
- CVE ID
- N/A
- CVSS Score
- N/A
- Affected Products
- Servers embedding Alibaba's XQUIC library, including Tengine, and any HTTP/3 server with default QPACK settings
Overview
A severe, unpatched vulnerability dubbed “XRING” has been discovered in Alibaba’s XQUIC library, which is a popular open-source implementation of the QUIC transport protocol and HTTP/3. This flaw allows any remote client to trigger a denial-of-service (DoS) attack by crashing servers that use the library, requiring no authentication or malformed packets. The vulnerability was disclosed by FoxIO researcher Sébastien Féry on July 8, 2026, and as of July 10, 2026, no patch has been released. The ease of exploitation, requiring merely 260 bytes of ordinary QPACK traffic, makes this a high-priority concern for any organization running HTTP/3 services powered by XQUIC.
Technical Details
The XRING vulnerability resides in a single incorrect variable on one line within the XQUIC codebase, specifically affecting how HTTP/3 compresses headers using QPACK. HTTP/3 utilizes QPACK to efficiently compress headers by maintaining a shared dynamic table that clients can instruct the server to build up and resize via a dedicated encoder stream. The XRING flaw exploits a weakness in this QPACK encoder stream. By sending a short burst of completely legal HTTP/3 traffic, a remote client can manipulate this mechanism to cause the server process to crash. The issue has been present in XQUIC since its first public release in January 2022, affecting every version up to and including the latest, v1.9.4. Since XQUIC is open-source, the risk extends beyond Alibaba’s direct infrastructure to any server that integrates and utilizes this library for HTTP/3 services with default QPACK settings. This includes Tengine, Alibaba’s Nginx-based web server, which reportedly fronts the company’s cloud and Content Delivery Network (CDN) for high-traffic sites like Taobao and Alipay.
Real-World Impact
The primary real-world impact of the XRING vulnerability is the potential for widespread denial-of-service against critical HTTP/3 services. An attacker can remotely and unauthentically crash affected servers, leading to service outages, reputational damage, and potentially significant financial losses for organizations relying on these services. The fact that the attack requires no special privileges or malformed packets means that even a low-skilled attacker could weaponize this flaw. This vulnerability is particularly concerning as HTTP/3 is a next-generation protocol designed for enhanced web performance, and its adoption is growing. Organizations leveraging XQUIC for their web infrastructure, especially those handling high volumes of traffic or critical online operations, face a substantial risk until a patch is available. The public disclosure of a proof-of-concept (PoC) further increases the likelihood of active exploitation in the wild.
Threat Landscape
XRING is the latest in a series of remote crash vulnerabilities discovered in HTTP/2 and HTTP/3 stacks. Just weeks prior, a use-after-free vulnerability (CVE-2026-42530) was reported in NGINX’s HTTP/3 module, accessible through the same QPACK encoder stream. Prior to that, in June, “Calif’s HTTP/2 Bomb” caused remote DoS against major web servers by exploiting HPACK. This pattern suggests an emerging area of focus for security researchers and threat actors alike, targeting the complexities of modern web protocol implementations. The open-source nature of XQUIC means that a fix, once available, will need to be widely adopted by all downstream integrators. Until then, the window for exploitation remains open, making this a significant threat for companies utilizing the affected library. The lack of a CVE assignment as of the disclosure date means that organizations need to proactively monitor for updates directly from Alibaba or FoxIO regarding this specific flaw.
Remediation
As there is currently no patch available for the XRING vulnerability in Alibaba’s XQUIC library, immediate remediation focuses on mitigation strategies. Operators of affected HTTP/3 servers have two primary options:
- Disable QPACK Dynamic Table: By setting
SETTINGS_QPACK_MAX_TABLE_CAPACITYto 0, organizations can disable QPACK’s dynamic table feature. While this might slightly impact header compression efficiency, it prevents the specific mechanism exploited by XRING. - Drop HTTP/3 Support Entirely: As a more drastic measure, organizations can temporarily disable HTTP/3 support on their servers until a patch is released and thoroughly tested. This would force clients to fall back to HTTP/2 or earlier versions, thus eliminating the attack surface.
Organizations should also closely monitor official channels from Alibaba and FoxIO for the release of a patch. Once a fix is available, it should be applied immediately following standard testing procedures to prevent exploitation. Due to the critical severity and ease of exploitation, prompt action is highly recommended.
Found something similar in your stack?
Let's find out before it becomes an incident.
Book an advisory call