NRDAX
Submit

← registry

NRDAX-T0225 - QUIC Control Frame Flood

connection_exhaustion · active · first seen 2026-07-11

provenance: Reproduced in NullRabbit's attack-reproduction pipeline

mechanism

s2n-quic stream-limit exhaustion (GHSA-475v-pq2g-fp9g): pre-patch `RemoteInitiated::on_close_stream` directly bumped `max_streams_sync` with NO rate limiting, so every close of a remote-initiated stre

instances (1)

chainprimitivefidelityoriginreproducer (bundle)source
quic s2n_quic_stream_limit_exhaustion lab reverse-engineered-cve s2n_quic_stream_limit_exhaustion GHSA-475v-pq2g-fp9g — AWS s2n-quic <= v1.30.0: 's2n-quic potential denial of service via crafted stream frames' — uncontrolled stream-limit increase when closing remote-initiated streams. https://github.com/aws/s2n-quic/security/advisories/GHSA-475v-pq2g-fp9g

references

vendor-advisory: GHPR-quic-go-quic-go-4369

related (connection_exhaustion)

cite

https://nrdax.com/techniques/NRDAX-T0225

plain

NRDAX Registry. Technique NRDAX-T0225.

bibtex
@misc{nrdax_NRDAX_T0225,
  title = {QUIC Control Frame Flood (NRDAX-T0225)},
  howpublished = {NRDAX Registry},
  url = {https://nrdax.com/techniques/NRDAX-T0225},
}
json (csl)
{
  "id": "nrdax-NRDAX-T0225",
  "type": "dataset",
  "title": "QUIC Control Frame Flood (NRDAX-T0225)",
  "URL": "https://nrdax.com/techniques/NRDAX-T0225",
  "publisher": "NRDAX Registry"
}