Existing PRAC frameworks for DDR5 suffer from insufficient security guarantees, coarse-grained mitigation granularity, and substantial performance overhead—particularly struggling to precisely identify high-risk DRAM rows while meeting real-time and scalability requirements. This paper proposes the first secure and practical PRAC-compatible mitigation mechanism. We design a Priority Service Queue (PSQ) based on activation counting to enable fine-grained, real-time row-level scheduling. Furthermore, we integrate Alert Back-Off (ABO), Refresh Management (RFM), and periodic refresh (REF) to jointly support both opportunistic and proactive mitigation. Our approach supports Rowhammer thresholds as low as 71 activations and incurs only 0.8% performance overhead under benign workloads; with proactive mitigation enabled, overhead drops to 0%. These results significantly outperform state-of-the-art solutions in security, granularity, latency, and efficiency.

JEDEC has introduced the Per Row Activation Counting (PRAC) framework for DDR5 and future DRAMs to enable precise counting of DRAM row activations. PRAC enables a holistic mitigation of Rowhammer attacks even at ultra-low Rowhammer thresholds. PRAC uses an Alert Back-Off (ABO) protocol to request the memory controller to issue Rowhammer mitigation requests. However, recent PRAC implementations are either insecure or impractical. For example, Panopticon, the inspiration for PRAC, is rendered insecure if implemented per JEDEC's PRAC specification. On the other hand, the recent UPRAC proposal is impractical since it needs oracular knowledge of the `top-N' activated DRAM rows that require mitigation. This paper provides the first secure, scalable, and practical RowHammer solution using the PRAC framework. The crux of our proposal is the design of a priority-based service queue (PSQ) for mitigations that prioritizes pending mitigations based on activation counts to avoid the security risks of prior solutions. This provides principled security using the reactive ABO protocol. Furthermore, we co-design our PSQ, with opportunistic mitigation on Refresh Management (RFM) operations and proactive mitigation during refresh (REF), to limit the performance impact of ABO-based mitigations. QPRAC provides secure and practical RowHammer mitigation that scales to Rowhammer thresholds as low as 71 while incurring a 0.8% slowdown for benign workloads, which further reduces to 0% with proactive mitigations.