TTP Advisory: XRING | No CVE | Severity: High (DoS) | Vendor: Alibaba | Product: XQUIC (QUIC/HTTP/3 library) | Affected: All releases through v1.9.4 | Impact: Tengine, Alibaba Cloud, Taobao, Alipay | Discovered by: FoxIO (Sebastien Fery)
What Is the Vulnerability
FoxIO researcher Sebastien Fery disclosed an unpatched vulnerability in XQUIC, Alibaba’s open-source QUIC and HTTP/3 library, nicknamed ‘XRING’. The flaw allows any remote client to crash an HTTP/3 server with a short burst of completely legal traffic — approximately 260 bytes of ordinary QPACK traffic is sufficient to take the server process down. The bug lives in how the QPACK dynamic table is handled: a single wrong variable on one line causes the server to crash. No authentication is required, no malformed packets are needed. Every XQUIC release through v1.9.4 (the latest) is affected. There is no fixed release and no CVE as of publication.
Versions Affected
- XQUIC — all releases through v1.9.4
XQUIC is open-source and embedded in Alibaba’s Tengine (Nginx-based web server), which fronts Alibaba Cloud, the Alibaba CDN, Taobao, and Alipay. Any server embedding XQUIC with default QPACK settings is exposed.
Exploited?
No confirmed exploitation in the wild at time of publication. The vulnerability was disclosed responsibly on July 8. However, the attack requires no authentication and no malformed packets, making it trivially exploitable once the technical details are understood.
Fix
No fix is available as of publication. Until a patch ships, operators have two options:
- Workaround 1: Set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which disables QPACK’s dynamic table compression.
- Workaround 2: Drop HTTP/3 support entirely on XQUIC-based servers.
Recommendations
- Apply workaround: Disable QPACK dynamic tables or HTTP/3 until a patch is available.
- Monitor for patch: Track the XQUIC project for a fixed release.
- Consider impact: Organisations using Alibaba Cloud services should check whether their infrastructure is affected.
References
- The Hacker News: XRING XQUIC
- FoxIO Research
Part of the Vulnerability Intelligence series on threat-modeling.com. July 10, 2026 Report.
