NRDAX-T0059 - Duplicate Transport Parameter Memory Leak
memory_amp · active · first seen 2026-07-11
provenance: Reproduced in NullRabbit's attack-reproduction pipeline
mechanism
msquic duplicate-transport-parameters VersionInfo leak (CVE-2024-26190): flood of QUIC v1 Initial packets (distinct SCID / new connection each), every Initial carrying a CRYPTO frame (type 0x06) whose
instances (1)
| chain | primitive | fidelity | origin | reproducer (bundle) | source |
|---|---|---|---|---|---|
| quic | msquic_dup_tp_versioninfo_leak | lab | reverse-engineered-cve | msquic_dup_tp_versioninfo_leak | CVE-2024-26190 / GHSA-2x7m-gf85-3745 — microsoft/msquic: 'Remote Denial of Service Vulnerability' — memory leak from multiple decodes of the QUIC transport parameters TLS extension. A remote unauthenticated peer sends a ClientHello whose TLS extension list contains multiple duplicate quic_transport_parameters extensions (ext type 0x0039), each carrying a version_information transport parameter (TP id 0x11); QuicCryptoTlsReadExtensions did not reject the duplicate, so QuicCryptoTlsDecodeTransportParameters ran once per occurrence, each CXPLAT_ALLOC'ing a fresh VersionInfo (QUIC_POOL_VERSION_INFO) and then zeroing the struct without freeing the prior pointer -> one leaked allocation per duplicate. 'The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.' CVSS 3.1 7.5 (High; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Affected msquic < 2.1.12 (2.1.x), < 2.2.7 (2.2.x), < 2.3.5; fixed 2.1.12, 2.2.7, 2.3.5 (commit d364feeda0dd). Advisory: https://github.com/microsoft/msquic/security/advisories/GHSA-2x7m-gf85-3745 |
related (memory_amp)
NRDAX-T0023 - Coalesced Packet Buffer Leak active NRDAX-T0025 - Compact Block Size Integer Overflow active NRDAX-T0038 - Count Underflow Header Serving Amplification active NRDAX-T0042 - Crypto Frame Reassembly Buffer Exhaustion active NRDAX-T0046 - Decompression Bomb Resource Exhaustion active NRDAX-T0061 - Duplicate Tx Mempool Index Desync active NRDAX-T0071 - Ethash Verification Memory Exhaustion active NRDAX-T0095 - GraphQL Alias Query Amplification active
cite
https://nrdax.com/techniques/NRDAX-T0059
plain
NRDAX Registry. Technique NRDAX-T0059.
bibtex
@misc{nrdax_NRDAX_T0059,
title = {Duplicate Transport Parameter Memory Leak (NRDAX-T0059)},
howpublished = {NRDAX Registry},
url = {https://nrdax.com/techniques/NRDAX-T0059},
} json (csl)
{
"id": "nrdax-NRDAX-T0059",
"type": "dataset",
"title": "Duplicate Transport Parameter Memory Leak (NRDAX-T0059)",
"URL": "https://nrdax.com/techniques/NRDAX-T0059",
"publisher": "NRDAX Registry"
}