A flaw in Alibaba's XQUIC library allows remote clients to crash HTTP/3 servers using valid traffic. The vulnerability, disclosed by researcher Sébastien Féry, affects all versions up to v1.9.4 and poses a risk to any server using XQUIC with default QPACK settings.
The vulnerability, nicknamed XRING, was disclosed on July 8 by researcher Sébastien Féry. It enables remote clients to crash servers by sending a short burst of valid QPACK traffic, approximately 260 bytes in size, without requiring authentication or malformed packets.
XQUIC is an open-source library, meaning this flaw extends beyond Alibaba to any server that incorporates it and serves HTTP/3 using default QPACK settings. This includes Tengine, Alibaba's Nginx-based web server, which is widely used in their cloud and CDN operations, affecting major platforms such as Taobao and Alipay.
The issue arises from the way HTTP/3 compresses headers using QPACK. When resizing a shared table, a miscalculation in buffer management can lead to out-of-bounds memory access, causing server crashes. The code erroneously calculates the size of data to move, which ultimately results in a memory copy error.
As of July 10, no patch has been released for the vulnerability, and it has not been assigned a CVE. Until an official fix is made available, server operators can mitigate the risk by setting CONFIG_QPACK_MAX_TABLE_CAPACITY to 0, effectively disabling QPACK's dynamic table, or may alternatively opt to drop support for HTTP/3 entirely.
This flaw poses significant risks to many internet services that rely on XQUIC, necessitating urgent attention from developers and operators. The fact that it allows exploitation without malformed packets emphasizes the need for immediate fixes and more robust error checking in similar libraries.
✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →
A flaw in Alibaba's XQUIC library allows remote clients to crash HTTP/3 servers using valid traffic. The vulnerability, disclosed by researcher Sébastien Féry, affects all versions up to v1.9.4 and poses a risk to any server using XQUIC with default QPACK settings.