REPRO-2026-00284: XRING: Alibaba XQUIC QPACK ring-buffer resize underflow
REPRO-2026-00284 is verified against Alibaba XQUIC · github affected versions: All XQUIC versions through v1.9.4 (since first public release Jan 2022) This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00284.
pruva-verify REPRO-2026-00284 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00284/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Novel unknown 0-day investigation in the latest available Alibaba XQUIC release. We are confident a fresh exploitable issue exists, but the vulnerable path, trigger, sink, and exact attack surface are unknown. Agents must independently discover the attack surface, identify the execution primitive, and reproduce code execution or crash-from-exploitation from scratch against the latest release. This is a discovery-first task and should not be treated as a simple replay of a prior disclosure; search broadly for any new HTTP/3, QPACK, ring-buffer, or transport parsing path that yields exploitation.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.