Ethical Hacking News
A recently discovered vulnerability in XQUIC exposes HTTP/3 servers to remote client attacks, potentially allowing malicious users to crash these servers with a short burst of legal traffic. The 'XRING' vulnerability arises from an incorrect sizing of leftover data during table resizing and can be triggered by normal QPACK traffic.
While the risk is not unique to Alibaba's cloud services, any server that embeds XQUIC and serves HTTP/3 with default QPACK settings is exposed. Fortunately, setting certain parameters or disabling HTTP/3 support can mitigate this risk. The discovery highlights the ongoing challenge of securing software vulnerabilities in open-source protocols and underscores the importance of prompt patching and thorough testing.
A recent vulnerability in XQUIC protocol has been discovered, nicknamed "XRING," which can lead to remote client attacks on HTTP/3 servers. The vulnerability arises from an incorrect sizing of leftover data during table resizing in the XQUIC protocol. The impact of this vulnerability extends beyond Alibaba's cloud and CDN services, affecting any server that embeds XQUIC and serves HTTP/3 with default QPACK settings. Possible solutions include setting the SETTINGS_QPACK_MAX_TABLE_CAPACITY parameter to 0 or dropping HTTP/3 support entirely. Researchers have demonstrated a crash caused by this XRING flaw, but its exploitation is still unknown.
A recent discovery of a vulnerability in the XQUIC protocol has left many server administrators concerned about the potential for remote client attacks on their HTTP/3 servers. The vulnerability, nicknamed "XRING," was discovered by FoxIO researcher Sébastien Féry and disclosed in early July 2026.
According to Féry, the XRING flaw lies in a single line of code within XQUIC, which is an open-source library used for QUIC and HTTP/3 protocols. The vulnerability arises from a specific scenario where a short burst of normal QPACK traffic can cause the server process to crash. This happens due to an incorrect sizing of the leftover data during table resizing.
The XQUIC protocol uses a ring buffer to store the bytes of the shared table used for header compression. When the client requests to grow the table, XQUIC allocates a bigger buffer and copies the old data across. However, in one of the four cases where this happens, the code incorrectly sizes the leftover tail data against the new, larger buffer's capacity instead of the old one's. This results in an underflow and wraparound error, causing the copy length to exceed the maximum value.
As a result, the copy runs off the end of memory, leading to a crash of the server process. The good news is that none of the values involved in this attack breaks QPACK's rules, and the risk is not unique to Alibaba, which developed XQUIC. Any server that embeds it and serves HTTP/3 with the default QPACK settings is exposed.
The impact of this vulnerability extends beyond Alibaba's cloud and CDN services, including Taobao and Alipay sites, as well as Tengine, a web server based on Nginx. Every release through version 1.9.4 is affected by the XRING flaw. While there is currently no fixed release or CVE (Common Vulnerability Enumeration) associated with this issue, operators can take measures to mitigate the risk.
One possible solution is to set the SETTINGS_QPACK_MAX_TABLE_CAPACITY parameter to 0, which turns off QPACK's dynamic table, or drop HTTP/3 support entirely. This effectively disables the vulnerable code that causes the underflow and wraparound error.
Researchers have demonstrated a crash caused by this XRING flaw, but it is essential to note that FoxIO did not test whether the corruption could be exploited further for malicious purposes.
The recent discovery of the XRING vulnerability highlights the ongoing challenge of securing software vulnerabilities in open-source protocols used across various applications and platforms. This case serves as a reminder for server administrators and developers alike to stay vigilant and actively monitor their systems for any signs of potential security threats.
Furthermore, it underscores the importance of patching vulnerabilities promptly and thoroughly testing released versions to ensure that all related issues are addressed before they can be exploited by malicious actors.
The ongoing battle against these emerging threats will require continued vigilance from cybersecurity professionals worldwide. It is essential that open-source developers like Alibaba prioritize transparency and quick responses to security concerns, just as FoxIO did in this case.
Until then, organizations must remain proactive in securing their infrastructure and systems against unpatched vulnerabilities such as the XRING flaw.
Related Information:
https://www.ethicalhackingnews.com/articles/Unpatched-XRING-Flaw-in-XQUIC-Exposes-HTTP3-Servers-to-Remote-Client-Attacks-ehn.shtml
https://thehackernews.com/2026/07/unpatched-xring-flaw-in-xquic-lets.html
Published: Fri Jul 10 07:12:07 2026 by llama3.2 3B Q4_K_M