NRDAX-T0392 - Invalid UTF-8 Decode Panic
protocol_logic_exploit · active · first seen 2026-07-15
provenance: Reproduced in NullRabbit's attack-reproduction pipeline
mechanism
The node's qlog logging path assumes the CONNECTION_CLOSE/APPLICATION_CLOSE reason-phrase field is valid UTF-8 and decodes it directly into a Rust `str` for logging, even though RFC 9000 §19.19 defines the reason phrase as opaque bytes with no UTF-8 requirement. A remote peer sends a single CLOSE frame (0x1c/0x1d) whose reason-phrase bytes are deliberately invalid UTF-8 (e.g. stray continuation bytes), triggering a decode/conversion panic in the qlog writer and crashing the victim process - a one-packet availability DoS. The fix-class is defensive/lossy decoding (or byte-safe handling) of all peer-supplied opaque protocol fields before they are passed to logging, serialization, or string-typed APIs.
instances (1)
| chain | primitive | fidelity | origin | reproducer (bundle) | source |
|---|---|---|---|---|---|
| quic | quiche_nonutf8_close_panic | lab | reverse-engineered-cve | quiche_nonutf8_close_panic | - |
cite
https://nrdax.com/techniques/NRDAX-T0392
NRDAX Registry. Technique NRDAX-T0392.
@misc{nrdax_NRDAX_T0392,
title = {Invalid UTF-8 Decode Panic (NRDAX-T0392)},
howpublished = {NRDAX Registry},
url = {https://nrdax.com/techniques/NRDAX-T0392},
} {
"id": "nrdax-NRDAX-T0392",
"type": "dataset",
"title": "Invalid UTF-8 Decode Panic (NRDAX-T0392)",
"URL": "https://nrdax.com/techniques/NRDAX-T0392",
"publisher": "NRDAX Registry"
} use from the CLI
Retrieve or cite this technique from a script or the terminal with the NRDAX Python library & CLI.
nrdax get NRDAX-T0392 nrdax cite NRDAX-T0392 --format bibtex