What 260 bytes actually do
The flaw, disclosed on 8 July by FoxIO researcher Sebastien Fery and nicknamed XRING, lives in QPACK, the header-compression scheme that HTTP/3 relies on. None of the values in the attack break QPACK's rules. XQUIC advertises a 16 KiB dynamic-table limit by default; the payload asks for 64 bytes, then 65, and drives the table into an exact wrapped memory layout that hits a faulty branch. The server process falls over. No credentials, no oversized packets, nothing a firewall flags as malformed.
That is what makes it dangerous. Most denial-of-service filtering looks for volume or obviously bad input, and XRING is neither. It is a small, well-formed request that a normal client could send by accident, and it does its damage in the parsing path before any application logic runs. Every XQUIC release through v1.9.4, the current one, is affected, and there is no fixed version to upgrade to.
Why you might be running it without knowing
XQUIC is Alibaba's open-source QUIC and HTTP/3 library, which means the risk is not Alibaba's alone. It is embedded in Tengine, the company's Nginx-based web server, which FoxIO says fronts Alibaba's cloud and content-delivery network on properties including Taobao and Alipay. Any operator who pulled XQUIC into their own stack, or who runs a product that bundles it upstream, inherits the same weakness whether or not they know the dependency is there.
This is the uncomfortable part for anyone running modern web infrastructure. HTTP/3 has climbed quietly through CDNs and load balancers, and the libraries underneath are shared. A flaw in one widely embedded QUIC implementation is not a single vendor's problem, it is a supply-chain exposure that surfaces wherever that code was reused. The dependency you cannot name is the one you cannot patch.
The fix is a config line, and no CVE will warn you
Until a corrected release ships, the mitigation is operational, not a download. You can set SETTINGS_QPACK_MAX_TABLE_CAPACITY to 0, which turns off QPACK's dynamic table and removes the vulnerable path, or you can drop HTTP/3 support and fall back to HTTP/2 while a fix is prepared. Both are changes an operator makes to their own configuration today, not a wait for a vendor patch cycle.
The wider lesson is about how the warning arrives, or does not. As of 10 July there is no CVE for XRING, so any team that watches only CVE feeds or waits for a patch-Tuesday bulletin will see nothing. The defensible move is to inventory where HTTP/3 and QPACK actually run in your estate, confirm which QUIC library sits underneath, and treat no CVE yet as a reason to act rather than a reason to relax.
Read next: Alibaba Bans Claude Code as a Backdoor Risk | A Defender Flaw Lets a Local User Take Over the PC



