Critical XRING Flaw in XQUIC Allows Remote Server Crashes
A single flaw in Alibaba's XQUIC library, which implements QUIC and HTTP/3, allows remote clients to crash servers using a short burst of completely legal traffic. The vulnerability, nicknamed XRING, was disclosed by FoxIO researcher Sébastien Féry on July 8. It requires no login or malformed packets, making it highly exploitable.
Key Details of the XRING Vulnerability
- Affected Library: XQUIC, Alibaba's open-source QUIC and HTTP/3 library.
- Impact: Any remote client can crash servers by sending approximately 260 bytes of ordinary QPACK traffic.
- Affected Versions: All releases up to v1.9.4, the latest version as of July 10.
- Mitigation: Operators can disable QPACK's dynamic table by setting
SETTINGS_QPACK_MAX_TABLE_CAPACITYto 0 or drop HTTP/3 support entirely.
The vulnerability stems from a flaw in how XQUIC handles header compression in HTTP/3. The library uses QPACK to avoid resending headers like user-agent repeatedly. QPACK maintains a shared table that clients direct the server to build and resize via a dedicated control channel called the encoder stream. XQUIC stores this table in a ring buffer, a fixed block of memory where data wraps from the end back to the start once it fills.
When the client requests to grow the table, XQUIC allocates a larger buffer and copies the old data across. However, one of the four cases for this operation miscalculates the size of the leftover tail data, leading to a memory copy that runs off the end of the buffer. This causes a crash.
Technical Analysis
Féry demonstrated that growing a 64-byte table with the write cursor near the end and resizing to 65 bytes causes XQUIC to miscalculate 70 tail bytes instead of 6. This incorrect value flows into a memory copy operation, resulting in an out-of-bounds write. In a release build on Ubuntu 26.04, glibc's _FORTIFY_SOURCE=2 caught the bad length and killed the process. Without this check, the copy writes out of bounds, potentially leading to further exploitation.
The attack uses legal QPACK inputs, making it difficult to detect. XQUIC advertises a 16 KiB dynamic-table limit by default, but the payload only requests 64 bytes, then 65. The client must drive the table into a specific wrapped layout to trigger the flaw.
Broader Implications
XRING is the latest in a series of remote crashes affecting HTTP/2 and HTTP/3 stacks. Earlier this year, vulnerabilities were reported in NGINX's HTTP/3 module and other HTTP/2 implementations, highlighting the risks associated with header compression mechanisms like QPACK and HPACK.
FoxIO reported the vulnerability to Alibaba on April 7 but received no response despite multiple follow-ups. As of July 10, there is no fixed release or CVE assigned to the issue. The Hacker News has reached out to Alibaba and FoxIO for further details.
Recommendations
Until a fix is released, operators using XQUIC are advised to:
- Disable QPACK's dynamic table by setting
SETTINGS_QPACK_MAX_TABLE_CAPACITYto 0. - Disable HTTP/3 support entirely if feasible.
The vulnerability has been present in XQUIC since its first public release in January 2022, and a proof of concept is publicly available. Operators are urged to take immediate action to mitigate the risk.