Unpatched XRING Flaw in XQUIC Allows Remote HTTP/3 Server Crashes

A critical vulnerability, dubbed XRING, has been identified in XQUIC, Alibaba’s open-source QUIC and HTTP/3 library. This flaw enables remote clients to crash HTTP/3 servers by sending a small amount of legitimate traffic. As of July 10, 2026, no patch has been released to address this issue.

Security researcher Sébastien Féry from FoxIO disclosed the XRING vulnerability on July 8, 2026. The flaw allows an unauthenticated remote client to crash the server by transmitting approximately 260 bytes of standard QPACK traffic. Notably, this attack does not require malformed packets or authentication, making it particularly concerning.

XQUIC is widely used beyond Alibaba, as it is open-source and integrated into various servers that support HTTP/3 with default QPACK settings. One such server is Tengine, Alibaba’s Nginx-based web server, which powers major services like Taobao and Alipay. Consequently, any server utilizing XQUIC up to version 1.9.4 is vulnerable to this exploit.

The root cause of the XRING vulnerability lies in XQUIC’s handling of HTTP/3 header compression through QPACK. To optimize header transmission, QPACK maintains a dynamic table that clients can instruct the server to resize via the encoder stream. XQUIC stores this table in a ring buffer—a fixed-size memory block that wraps around when full.

When a client requests an increase in the table size, XQUIC allocates a larger buffer and attempts to copy existing data into it. However, a flaw in the code miscalculates the amount of data to copy, leading to an out-of-bounds memory write. Specifically, the code overestimates the data to be copied by referencing the new buffer’s capacity instead of the old one, resulting in a significant overcount. This miscalculation causes the copy operation to exceed memory boundaries, potentially crashing the server process.

In environments with security features like glibc’s _FORTIFY_SOURCE=2, the system detects the erroneous copy length and terminates the process to prevent further damage. However, in systems lacking such protections, the out-of-bounds write could lead to memory corruption, with the potential for more severe exploitation.

To mitigate the risk posed by XRING until an official patch is available, server operators can set the SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0. This configuration disables QPACK’s dynamic table, effectively neutralizing the vulnerability. Alternatively, disabling HTTP/3 support entirely can also prevent exploitation.

XRING is part of a series of recent vulnerabilities affecting HTTP/2 and HTTP/3 implementations. For instance, in June 2026, the HTTP/2 Bomb attack exploited header compression mechanisms to cause denial-of-service conditions across multiple servers, including Nginx, Apache, IIS, and Envoy. Similarly, in February 2026, HAProxy addressed two QUIC-related crashes, one involving an integer underflow during token validation—a flaw similar in nature to XRING.

The discovery of XRING underscores the importance of rigorous input validation and memory management in protocol implementations. As HTTP/3 adoption grows, ensuring the security of its underlying libraries becomes paramount. Organizations utilizing XQUIC should promptly apply the recommended mitigations and stay vigilant for official patches to safeguard their infrastructure against potential attacks.