Executive Summary
A critical, unpatched vulnerability known as XRING has been disclosed in the XQUIC library, an open-source implementation of QUIC and HTTP/3 protocols maintained by Alibaba. This flaw enables any remote, unauthenticated client to crash HTTP/3 servers using XQUIC with as little as 260 bytes of legal QPACK traffic. There is currently no patch or CVE assigned as of July 10, 2026. All XQUIC releases up to and including v1.9.4 are affected, impacting any server embedding XQUIC with default QPACK settings, including Alibaba’s Tengine (used by Taobao, Alipay, and Alibaba Cloud/CDN). The vulnerability is trivial to exploit and poses a significant risk of denial-of-service to organizations relying on HTTP/3 infrastructure built on XQUIC.
Technical Information
The XRING vulnerability is a memory corruption flaw in the QPACK dynamic table implementation within XQUIC. QPACK is the header compression mechanism for HTTP/3, utilizing a shared dynamic table managed as a ring buffer. When a client requests to grow this table, XQUIC reallocates a larger buffer and copies data from the old buffer. The flaw arises from an incorrect calculation in one code path: the amount of data to copy is determined using the new buffer’s capacity instead of the old one, resulting in a significant overcount. This miscalculation leads to an unsigned integer underflow, causing the memory copy operation to run off the end of the buffer.
On systems with glibc’s _FORTIFY_SOURCE=2, the process is terminated immediately; on others, the result is an out-of-bounds write and a server crash. The attack does not require malformed packets or authentication—only a carefully crafted sequence of legal QPACK instructions, totaling approximately 260 bytes, is sufficient to trigger the flaw. The vulnerability has existed since the first public release of XQUIC in January 2022 and affects all subsequent versions up to v1.9.4.
A public proof-of-concept (PoC) was released by a FoxIO researcher, demonstrating the ease with which a remote client can crash a vulnerable server. The attack leverages only protocol-compliant QPACK traffic, making detection via traditional anomaly-based intrusion detection systems challenging.
Exploitation in the Wild
As of July 10, 2026, there have been no confirmed reports of exploitation in the wild. The vulnerability has been publicly disclosed, and a PoC is available, but there is no evidence of active exploitation or weaponization by threat actors. The CISA Known Exploited Vulnerabilities (KEV) catalog does not list this vulnerability or the related CVE-2026-42530 (a different bug in NGINX’s HTTP/3 module), so there is no CISA-confirmed exploitation at this time.
APT Groups using this vulnerability
There is currently no evidence that any Advanced Persistent Threat (APT) groups or other threat actors are exploiting the XRING vulnerability. No targeted attacks or campaigns leveraging this flaw have been observed in public or private threat intelligence feeds. The vulnerability remains a high-risk issue due to its trivial exploitation vector and the public availability of a PoC, but as of this report, it has not been adopted by known threat groups.
Affected Product Versions
The XRING vulnerability affects all versions of XQUIC from its initial public release in January 2022 through v1.9.4 (the latest as of July 10, 2026). Any HTTP/3 server embedding XQUIC with default QPACK settings is vulnerable. This includes, but is not limited to, Alibaba’s Tengine web server, which is widely deployed in Alibaba Cloud, Taobao, and Alipay infrastructures. No specific third-party forks or integrations have been listed in public disclosures, but all such deployments using XQUIC up to v1.9.4 are at risk.
Workaround and Mitigation
There is currently no official patch for the XRING vulnerability. Organizations are advised to implement the following temporary mitigations:
Set the SETTINGS_QPACK_MAX_TABLE_CAPACITY parameter to 0 to disable QPACK’s dynamic table, effectively turning off dynamic header compression. This mitigates the vulnerability by preventing the vulnerable code path from being triggered. Alternatively, organizations may choose to disable HTTP/3 support entirely until a patch is available. It is also recommended to closely monitor for abnormal server crashes and investigate QPACK traffic patterns for signs of exploitation attempts.
Indicators of Compromise
The following caveat applies: Indicators of compromise are point-in-time and should be validated before enforcement. At the time of writing, no public indicators of compromise (IOCs) specific to the XRING vulnerability have been published in any referenced sources. Organizations should monitor for sudden, unexplained crashes of HTTP/3 servers using XQUIC, especially after receiving small bursts (approximately 260 bytes) of QPACK traffic, and for core dumps or logs indicating memory corruption or buffer overflows in QPACK dynamic table handling.
No public indicators of compromise were available at the time of writing.
References
The Hacker News: Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers, Hazetec Brief, Threat Modeling Write-up, Reddit: r/SecOpsDaily, FoxIO Researcher
Rescana is here for you
Rescana provides a comprehensive Third-Party Risk Management (TPRM) platform that empowers organizations to continuously monitor, assess, and mitigate cyber risks across their supply chain and digital ecosystem. Our platform delivers actionable intelligence, automated workflows, and deep visibility into vendor security posture, helping you stay ahead of emerging threats. We are happy to answer any questions at info@rescana.com.



