NRDAX-T0042 - Crypto Frame Reassembly Buffer Exhaustion
memory_amp · active · first seen 2026-07-10
provenance: Reproduced in NullRabbit's attack-reproduction pipeline
mechanism
quiche QUIC CRYPTO-frame flood (CVE-2024-1765): flood of QUIC long-header packets each carrying a CRYPTO frame (type 0x06) whose offset escalates by a fixed stride (4096) - leaving the crypto reassemb
instances (2)
| chain | primitive | fidelity | origin | reproducer (bundle) | source |
|---|---|---|---|---|---|
| quic | quiche_crypto_frame_flood | lab | reverse-engineered-cve | quiche_crypto_frame_flood | CVE-2024-1765 / GHSA-78wx-jg4j-5j6g — cloudflare/quiche: 'Unlimited resource allocation by QUIC CRYPTO frames flooding.' A remote peer repeatedly sends an unlimited number of QUIC CRYPTO frames (type 0x06) over an established connection; quiche buffered the CRYPTO reassembly stream without bounding total retained state, so the flood makes memory usage of the quiche server OR client climb for the duration of the connection (availability DoS, CVSS 3.1 5.9). Affected quiche <= 0.19.1, 0.20.0; fixed in 0.19.2, 0.20.1. Reported by Marten Seemann. Advisory: https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g |
| quic | s2n_quic_crypto_offset_amplification | lab | reverse-engineered-cve | s2n_quic_crypto_offset_amplification | CVE-2026-10740 / GHSA-9q54-f358-3fqf — aws/s2n-quic: CRYPTO-frame offset amplification. The CRYPTO-frame reassembly buffer lacks maximum-size enforcement, so a CRYPTO frame (type 0x06) carrying an artificially HIGH offset forces the receiver to reserve reassembly buffer up to that offset even though the delivered body is tiny: a single ~1200-byte packet causes ~9.4 MB of allocation (~7800x). No authentication or valid handshake is required — the crafted CRYPTO frames ride pre-handshake QUIC Initial packets, so an unauthenticated peer can repeatedly transmit them to exhaust server memory (availability DoS, CVSS 3.1 5.3). Affected s2n-quic <= 1.81.0; fixed in 1.82.0. Advisory: https://github.com/aws/s2n-quic/security/advisories/GHSA-9q54-f358-3fqf |
related (memory_amp)
NRDAX-T0023 - Coalesced Packet Buffer Leak active NRDAX-T0025 - Compact Block Size Integer Overflow active NRDAX-T0038 - Count Underflow Header Serving Amplification active NRDAX-T0046 - Decompression Bomb Resource Exhaustion active NRDAX-T0059 - Duplicate Transport Parameter Memory Leak active NRDAX-T0061 - Duplicate Tx Mempool Index Desync active NRDAX-T0071 - Ethash Verification Memory Exhaustion active NRDAX-T0095 - GraphQL Alias Query Amplification active
cite
https://nrdax.com/techniques/NRDAX-T0042
plain
NRDAX Registry. Technique NRDAX-T0042.
bibtex
@misc{nrdax_NRDAX_T0042,
title = {Crypto Frame Reassembly Buffer Exhaustion (NRDAX-T0042)},
howpublished = {NRDAX Registry},
url = {https://nrdax.com/techniques/NRDAX-T0042},
} json (csl)
{
"id": "nrdax-NRDAX-T0042",
"type": "dataset",
"title": "Crypto Frame Reassembly Buffer Exhaustion (NRDAX-T0042)",
"URL": "https://nrdax.com/techniques/NRDAX-T0042",
"publisher": "NRDAX Registry"
}