NRDAX
Submit

← registry

NRDAX-T0196 - Path Migration Challenge Queue Exhaustion

memory_amp · active · first seen 2026-07-10

provenance: Reproduced in NullRabbit's attack-reproduction pipeline

mechanism

quiche QUIC PATH_CHALLENGE unbounded-queue flood (CVE-2023-6193): flood of QUIC 1-RTT short-header packets on one DCID arriving from CHANGING source paths (rotating loopback 4-tuples = QUIC connection

instances (1)

chainprimitivefidelityoriginreproducer (bundle)source
quic quiche_path_challenge_queue lab reverse-engineered-cve quiche_path_challenge_queue CVE-2023-6193 / GHSA-w3vp-jw9m-f9pm — cloudflare/quiche: 'Unbounded queuing of path validation messages.' QUIC path validation (RFC 9000 §8.2) makes the recipient of a PATH_CHALLENGE frame (type 0x1a) reply with a PATH_RESPONSE (type 0x1b) echoing the 8-byte challenge. An unauthenticated remote attacker sends PATH_CHALLENGE frames — changing source address so each path migration forces path validation — and manipulates the connection (e.g. restricting the peer's congestion window) so PATH_RESPONSEs can only be sent slower than PATH_CHALLENGEs are received; quiche stores the path-validation data in an UNBOUNDED queue, so memory grows without limit for the connection's lifetime (availability DoS, CWE-400, CVSS 3.1 5.3 Moderate). Affected quiche 0.15.0 through 0.19.0; fixed in 0.19.1. Advisory: https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm

related (memory_amp)

cite

https://nrdax.com/techniques/NRDAX-T0196

plain

NRDAX Registry. Technique NRDAX-T0196.

bibtex
@misc{nrdax_NRDAX_T0196,
  title = {Path Migration Challenge Queue Exhaustion (NRDAX-T0196)},
  howpublished = {NRDAX Registry},
  url = {https://nrdax.com/techniques/NRDAX-T0196},
}
json (csl)
{
  "id": "nrdax-NRDAX-T0196",
  "type": "dataset",
  "title": "Path Migration Challenge Queue Exhaustion (NRDAX-T0196)",
  "URL": "https://nrdax.com/techniques/NRDAX-T0196",
  "publisher": "NRDAX Registry"
}