NRDAX
Submit

← registry

NRDAX-T0042 - Crypto Frame Reassembly Buffer Exhaustion

memory_amp · active · first seen 2026-07-10

provenance: Reproduced in NullRabbit's attack-reproduction pipeline

mechanism

quiche QUIC CRYPTO-frame flood (CVE-2024-1765): flood of QUIC long-header packets each carrying a CRYPTO frame (type 0x06) whose offset escalates by a fixed stride (4096) - leaving the crypto reassemb

instances (2)

chainprimitivefidelityoriginreproducer (bundle)source
quic quiche_crypto_frame_flood lab reverse-engineered-cve quiche_crypto_frame_flood CVE-2024-1765 / GHSA-78wx-jg4j-5j6g — cloudflare/quiche: 'Unlimited resource allocation by QUIC CRYPTO frames flooding.' A remote peer repeatedly sends an unlimited number of QUIC CRYPTO frames (type 0x06) over an established connection; quiche buffered the CRYPTO reassembly stream without bounding total retained state, so the flood makes memory usage of the quiche server OR client climb for the duration of the connection (availability DoS, CVSS 3.1 5.9). Affected quiche <= 0.19.1, 0.20.0; fixed in 0.19.2, 0.20.1. Reported by Marten Seemann. Advisory: https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g
quic s2n_quic_crypto_offset_amplification lab reverse-engineered-cve s2n_quic_crypto_offset_amplification CVE-2026-10740 / GHSA-9q54-f358-3fqf — aws/s2n-quic: CRYPTO-frame offset amplification. The CRYPTO-frame reassembly buffer lacks maximum-size enforcement, so a CRYPTO frame (type 0x06) carrying an artificially HIGH offset forces the receiver to reserve reassembly buffer up to that offset even though the delivered body is tiny: a single ~1200-byte packet causes ~9.4 MB of allocation (~7800x). No authentication or valid handshake is required — the crafted CRYPTO frames ride pre-handshake QUIC Initial packets, so an unauthenticated peer can repeatedly transmit them to exhaust server memory (availability DoS, CVSS 3.1 5.3). Affected s2n-quic <= 1.81.0; fixed in 1.82.0. Advisory: https://github.com/aws/s2n-quic/security/advisories/GHSA-9q54-f358-3fqf

related (memory_amp)

cite

https://nrdax.com/techniques/NRDAX-T0042

plain

NRDAX Registry. Technique NRDAX-T0042.

bibtex
@misc{nrdax_NRDAX_T0042,
  title = {Crypto Frame Reassembly Buffer Exhaustion (NRDAX-T0042)},
  howpublished = {NRDAX Registry},
  url = {https://nrdax.com/techniques/NRDAX-T0042},
}
json (csl)
{
  "id": "nrdax-NRDAX-T0042",
  "type": "dataset",
  "title": "Crypto Frame Reassembly Buffer Exhaustion (NRDAX-T0042)",
  "URL": "https://nrdax.com/techniques/NRDAX-T0042",
  "publisher": "NRDAX Registry"
}