
XRING Integer Underflow in XQUIC QPACK Resizes Enables Remote HTTP/3 DoS Since 2022
XRING is an unauthenticated remote crash in XQUIC's QPACK ring-buffer resize logic present since the library's first public release. Disclosure attempts were ignored and no patch or CVE has appeared. The bug joins a widening set of header-compression DoS vectors that affect multiple HTTP/3 and HTTP/2 stacks.
The defect sits in XQUIC's handling of dynamic table growth on the encoder stream. When the client requests a capacity increase that causes the write cursor to wrap, one of four copy cases substitutes the new buffer size for the old, yielding an oversized subtraction that underflows to a huge memcpy length. All releases through 1.9.4 are affected; no CVE or patched tag exists. Tengine deployments serving Taobao and Alipay remain exposed by default. FoxIO's disclosure timeline shows initial contact on 7 April followed by four unanswered follow-ups through 9 May. The project's stated SLA of three working days was never met. The same QPACK control channel previously yielded a use-after-free in nginx's HTTP/3 module (CVE-2026-42530) and parallels the HPACK Bomb pattern that hit multiple HTTP/2 stacks in June. XRING requires only legal traffic, lowering the bar further. The pattern across QUIC implementations reveals systemic fragility in header-compression state machines under resize operations. Integer handling errors recur because the encoder stream mixes capacity negotiation with ring-buffer maintenance without sufficient bounds checks. Operators who cannot set SETTINGS_QPACK_MAX_TABLE_CAPACITY to zero inherit an unauthenticated availability attack surface that scales with any adoption of the library. Alibaba has not published a remediation timeline. Absent an upstream fix, downstream users embedding XQUIC must either disable dynamic QPACK or drop HTTP/3. Continued silence after five disclosure attempts increases the probability that the flaw remains live in production CDNs and cloud edges for months.
Alibaba security: No patch or CVE assigned by 15 September 2026 despite public disclosure
Sources (3)
- [1]FoxIO XRING Technical Write-up(https://foxio.io/research/xring)
- [2]nginx CVE-2026-42530 Advisory(https://nginx.org/en/security_advisories.html)
- [3]The Hacker News XRING Report(https://thehackernews.com/2026/07/unpatched-xring-flaw-in-xquic-lets.html)