NRDAX
Submit

← registry

NRDAX-T0195 - Path Challenge Response Memory Exhaustion

memory_amp · active · first seen 2026-07-10

provenance: Reproduced in NullRabbit's attack-reproduction pipeline

mechanism

quic-go QUIC path-validation memory exhaustion (CVE-2023-49295): flood of QUIC v1 short-header (1-RTT) packets each carrying PATH_CHALLENGE frame(s) (type 0x1a + 8B challenge data). Each PATH_CHALLENG

instances (1)

chainprimitivefidelityoriginreproducer (bundle)source
quic quic_go_path_challenge_flood lab reverse-engineered-cve quic_go_path_challenge_flood CVE-2023-49295 / GHSA-ppxx-5m9h-6vxf — quic-go/quic-go: 'Memory Exhaustion Attack against QUIC's Path Validation Mechanism.' An attacker floods the peer with a large number of PATH_CHALLENGE frames (RFC 9000 §8.2 requires a PATH_RESPONSE for each), then prevents those responses from being sent by collapsing the peer's congestion window (selective ACK) and manipulating its RTT estimate — so the un-sendable PATH_RESPONSE frames queue internally without bound, exhausting memory (availability DoS, severity Moderate). No workaround; the fix bounds retained path-validation state. Affected quic-go v0.40.0, <= v0.39.3, <= v0.38.1, <= v0.37.6; fixed v0.40.1, v0.39.4, v0.38.2, v0.37.7. Reported by marten-seemann. Advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf

related (memory_amp)

cite

https://nrdax.com/techniques/NRDAX-T0195

plain

NRDAX Registry. Technique NRDAX-T0195.

bibtex
@misc{nrdax_NRDAX_T0195,
  title = {Path Challenge Response Memory Exhaustion (NRDAX-T0195)},
  howpublished = {NRDAX Registry},
  url = {https://nrdax.com/techniques/NRDAX-T0195},
}
json (csl)
{
  "id": "nrdax-NRDAX-T0195",
  "type": "dataset",
  "title": "Path Challenge Response Memory Exhaustion (NRDAX-T0195)",
  "URL": "https://nrdax.com/techniques/NRDAX-T0195",
  "publisher": "NRDAX Registry"
}