{
  "variant_id": "xring-vulnvariant-0001",
  "created_at": "2026-07-09T20:30:00Z",
  "variant_summary": "Variant/bypass analysis of CVE-2026-XRING (Alibaba XQUIC xqc_ring_mem_resize both-truncated ori_sz1 capacity confusion). Tested 3 materially different QPACK encoder-stream payloads (P1 original PoC mcap=128/sidx=122; P2 alternate wrap state mcap=128/sidx=118; P3 alternate grow factor mcap=256/sidx=246) against ASAN builds of the vulnerable v1.9.4 and the one-line-fixed v1.9.4. Vulnerable build: ASAN heap-buffer-overflow READ in xqc_ring_mem_resize:139 + crash (exit 134) on 3/3. Fixed build: ASAN-clean/alive on 3/3. Audited all resize branches, the xqc_ring_mem_copy helper, and every caller (decoder Set Dynamic Table Capacity = only attacker trigger; encoder SETTINGS path = covered but not triggerable, rmem->used==0; INSERT/DUP = no resize). Result: NO BYPASS, NO distinct uncovered variant; the one-line fix (ori_sz1 = rmem->capacity - soffset_ori) is complete and generalizes across ring offsets and grow factors. The both-truncated sub-branch A (new_sz1>=ori_sz1) is provably unreachable for any legal grow, so only sub-branch B (the PoC path) fires, and both share the fixed ori_sz1 line.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "alibaba/xquic",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "version": "v1.9.4",
    "ref": "v1.9.4",
    "display": "alibaba/xquic v1.9.4 (commit 96155cf) - vulnerable"
  },
  "variant_target": {
    "target_kind": "git_tag_with_local_patch",
    "commit_sha": "96155cffbde7f062fe45ac3f6899f47e25709d30",
    "version": "v1.9.4",
    "ref": "v1.9.4 + local one-line patch",
    "display": "alibaba/xquic v1.9.4 (commit 96155cf) + one-line fix ori_sz1 = rmem->capacity - soffset_ori (no upstream patch; v1.9.4 is latest release)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "network_protocol",
  "validated_surface": "network_protocol",
  "required_entrypoint_kind": "tcp_peer",
  "required_entrypoint_detail": "QUIC/HTTP3 UDP peer: remote unauthenticated client opens HTTP/3 control stream + QPACK encoder unidirectional stream and sends Set Dynamic Table Capacity / Insert instructions to the XQUIC HTTP/3 server (demo_server)",
  "attacker_controlled_input": "spec-compliant QPACK encoder-stream instructions: Set Dynamic Table Capacity, repeated Insert(x:y), a final Insert(AAAAA:BBBBB), and a growing Set Dynamic Table Capacity. Three payload shapes (P1/P2/P3) varying insert count (wrap state) and final capacity (grow factor/mcap).",
  "trigger_path": "quic-go client dials XQUIC demo_server over QUIC/UDP -> HTTP3 control stream + QPACK encoder uni stream -> xqc_qpack_on_encoder_ins (XQC_INS_TYPE_ENC_SET_DTABLE_CAP) (xqc_qpack.c:261) -> xqc_decoder_set_dtable_cap (xqc_decoder.c:243) -> xqc_dtable_set_capacity (xqc_dtable.c:602) -> xqc_ring_mem_resize both-truncated branch (xqc_ring_mem.c:129 computes ori_sz1 = mcap - soffset_ori [bug]; :139 is the OOB-read memcpy) -> heap OOB read + size_t underflow into memcpy -> ASAN abort / glibc _FORTIFY_SOURCE abort (exit 134)",
  "observed_impact_class": "dos",
  "additional_observed_impact_class": "heap_oob_read",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": "no_bypass_found_fix_complete",
  "blocking_mitigation": "one-line fix ori_sz1 = rmem->capacity - soffset_ori in xqc_ring_mem_resize (src/common/utils/ringmem/xqc_ring_mem.c:129). No upstream patch exists (v1.9.4 is the latest release as of 2026-07-09). Deploy-time mitigation: advertise SETTINGS_QPACK_MAX_TABLE_CAPACITY=0 to disable the QPACK dynamic table.",
  "file_path": "src/common/utils/ringmem/xqc_ring_mem.c",
  "line_start": 129,
  "line_end": 139,
  "secondary_anchors": [
    {"file_path": "src/http3/qpack/dtable/xqc_dtable.c", "line_start": 586, "line_end": 612},
    {"file_path": "src/http3/qpack/xqc_decoder.c", "line_start": 238, "line_end": 244},
    {"file_path": "src/http3/qpack/xqc_qpack.c", "line_start": 248, "line_end": 262},
    {"file_path": "src/http3/xqc_h3_conn.c", "line_start": 713, "line_end": 724}
  ],
  "review_scope_paths": [
    "src/common/utils/ringmem/xqc_ring_mem.c",
    "src/common/utils/ringmem/xqc_ring_mem.h",
    "src/http3/qpack/dtable/xqc_dtable.c",
    "src/http3/qpack/dtable/xqc_dtable.h",
    "src/http3/qpack/xqc_decoder.c",
    "src/http3/qpack/xqc_encoder.c",
    "src/http3/qpack/xqc_qpack.c",
    "src/http3/xqc_h3_conn.c"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/variant_matrix_summary.txt",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": ["bundle/vuln_variant/reproduction_steps.sh"]
  }
}
