Remote Crash Vulnerability Discovered in Alibaba’s XQUIC Library for HTTP/3

A single arithmetic error in XQUIC's memory handling during QPACK table resizing lets any remote client crash HTTP/3 servers with normal network traffic.

CSBadmin
3 Min Read

Vulnerability Overview

A critical flaw has been identified in XQUIC, Alibaba’s open source library implementing the QUIC transport protocol and HTTP/3. Dubbed XRING by researcher Sébastien Féry of FoxIO, the vulnerability allows any remote client to crash a server by sending roughly 260 bytes of ordinary QPACK header compression traffic. No authentication, malformed packets, or special privileges are required for the attack.

The bug affects all XQUIC releases through version 1.9.4, the latest available. Because XQUIC is open source and embedded in various projects, the risk extends beyond Alibaba’s own infrastructure. Tengine, Alibaba’s Nginx based web server that powers the company’s cloud and CDN services including Taobao and Alipay, is also exposed when serving HTTP/3 with default QPACK settings.

Technical Detail and Impact

The flaw resides in how XQUIC handles QPACK, the header compression mechanism for HTTP/3. QPACK maintains a dynamic table shared between client and server to avoid repeatedly sending identical headers. XQUIC stores this table in a ring buffer, a fixed memory block where data wraps from end to start when full.

When a client requests a table resize, XQUIC allocates a larger buffer and copies existing data. In one of four possible memory layout scenarios during this copy, the code incorrectly calculates the size of remaining data using the new buffer’s capacity instead of the old one’s. This arithmetic error causes an integer underflow in an unsigned size_t value, leading to a massive memory copy that overruns the destination buffer. In FoxIO’s tests on Ubuntu 26.04, glibc’s buffer overflow protection caught the invalid length and terminated the process. Without such protection, the out of bounds write could potentially be exploited further.

The researcher demonstrated a crash but did not confirm whether the heap corruption could lead to code execution. All QPACK values in the attack remain within protocol specifications, making detection difficult. The vulnerability has existed since XQUIC’s first public release in January 2022. FoxIO reported the issue to Alibaba through the project’s security policy on April 7, 2026, but received no response after five follow up attempts through May 9. As of July 10, no fix or CVE has been released.

Until a patch becomes available, operators can mitigate by setting SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0 (disabling QPACK’s dynamic table) or removing HTTP/3 support entirely. This vulnerability follows a pattern of similar remote crash flaws in HTTP/2 and HTTP/3 stacks, including a recent use after free in NGINX’s HTTP/3 module (CVE-2026-42530) and the HTTP/2 Bomb denial of service attack.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

TAGGED:
Share This Article
Follow:
The latest in cybersecurity news and updates.