{"count":388,"offset":0,"registry_version":"v0.1-import","techniques":[{"display_name":"Addr Message Counter Overflow Crash","external_references":[{"id":"CVE-2024-52919","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52919"}],"family":"gossip_abuse","first_seen":"2024-01-01","id":"NRDAX-T0001","instances":[{"bundle_ref":"btc_addr_overflow_flood","chain":"litecoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2025/04/28/disclose-cve-2024-52919/","kind":"cve","url":"https://bitcoincore.org/en/2025/04/28/disclose-cve-2024-52919/"}],"fidelity":"lab","primitive_id":"btc_addr_overflow_flood"}],"mechanism":"CVE-2024-52919 (GHSA-qwp9-p9rr-h729): addr flood → CAddrMan 32-bit nIdCount overflow → assertion abort","name":"addr-message-counter-overflow-crash","provenance_note":"imported from nr_registry cluster 'addr-message-counter-overflow-crash'","status":"active"},{"display_name":"Alert Message Ordering Bypass","external_references":[{"id":"CVE-2016-10725","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10725"}],"family":"network-p2p","first_seen":"2016-01-01","id":"NRDAX-T0002","instances":[],"mechanism":"Alert Message Ordering Bypass","name":"alert-message-ordering-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'alert-message-ordering-bypass')","status":"active"},{"display_name":"Arithmetic Bug Fund Miscalculation","external_references":[{"id":"CVE-2022-23066","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23066"},{"id":"CVE-2022-31111","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31111"},{"id":"CVE-2026-24783","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24783"},{"id":"CVE-2026-24889","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24889"}],"family":"economic-defi","first_seen":"2022-01-01","id":"NRDAX-T0003","instances":[],"mechanism":"Arithmetic Bug Fund Miscalculation","name":"arithmetic-bug-fund-miscalculation","provenance_note":"known-but-not-reproduced coverage gap (technique 'arithmetic-bug-fund-miscalculation')","status":"active"},{"display_name":"Arithmetic Edge-Case Panic Crash","external_references":[{"id":"CVE-2020-26242","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26242"},{"id":"GHPR-Conflux-Chain-conflux-rust-3544","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-8832","kind":"vendor-advisory"},{"id":"GHPR-XRPLF-rippled-6989","kind":"vendor-advisory"},{"id":"GHPR-cosmos-ethermint-750","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0004","instances":[],"mechanism":"Arithmetic Edge-Case Panic Crash","name":"arithmetic-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'arithmetic-panic-crash')","status":"active"},{"display_name":"Array Deserialization Memcpy Corruption","external_references":[{"id":"CVE-2019-6250","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-6250"}],"family":"compute_amp","first_seen":"2019-01-01","id":"NRDAX-T0005","instances":[{"bundle_ref":"monero_levin_array_memcorrupt","chain":"monero","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0637","kind":"vendor-advisory","url":"https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0637"}],"fidelity":"lab","primitive_id":"monero_levin_array_memcorrupt"}],"mechanism":"CVE-2018-3972 (TALOS-2018-0637): Levin array-of-arrays (0x8D) → epee read_ae POD memcpy → memory corruption","name":"array-deserialization-memcpy-corruption","provenance_note":"imported from nr_registry cluster 'array-deserialization-memcpy-corruption'","status":"active"},{"display_name":"Async Runtime Blocking VM Execution","external_references":[{"id":"GHPR-MystenLabs-sui-27236","kind":"vendor-advisory"},{"id":"GHPR-MystenLabs-sui-27239","kind":"vendor-advisory"}],"family":"compute_amp","first_seen":"2026-07-09","id":"NRDAX-T0006","instances":[{"bundle_ref":"iota_f14_devinspect_cpu_wedge","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"https://docs.iota.org/references/iota-api/iota/method/iota_devInspectTransactionBlock (iota-core authority.rs dev_inspect_transaction_block synchronous Move-VM path; iota-json-rpc-api/src/write.rs exposes iota_devInspectTransactionBlock)","kind":"vendor-advisory","url":"https://docs.iota.org/references/iota-api/iota/method/iota_devInspectTransactionBlock (iota-core authority.rs dev_inspect_transaction_block synchronous Move-VM path; iota-json-rpc-api/src/write.rs exposes iota_devInspectTransactionBlock)"}],"fidelity":"lab","primitive_id":"iota_f14_devinspect_cpu_wedge"},{"bundle_ref":"iota_f14_f10_grpc_chained","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"https://docs.iota.org/references/iota-api/iota/method/iota_devInspectTransactionBlock (F14: iota-core authority.rs synchronous dev_inspect Move-VM path) + https://docs.iota.org/references/iota-api (F10: gRPC LedgerService/GetTransactions batch response-amp, no per-batch count cap / no digest dedup)","kind":"vendor-advisory","url":"https://docs.iota.org/references/iota-api/iota/method/iota_devInspectTransactionBlock (F14: iota-core authority.rs synchronous dev_inspect Move-VM path) + https://docs.iota.org/references/iota-api (F10: gRPC LedgerService/GetTransactions batch response-amp, no per-batch count cap / no digest dedup)"}],"fidelity":"lab","primitive_id":"iota_f14_f10_grpc_chained"},{"bundle_ref":"SOL_F14_simulate_transaction_sync_wedge","chain":"solana","discovery_origin":"original-research","external_references":[{"id":"agave-simulatetransaction-rpc-executor-saturation","kind":"nr-brief","url":"https://nullrabbit.ai/research/agave-simulatetransaction-rpc-executor-saturation"}],"fidelity":"lab","primitive_id":"SOL_F14_simulate_transaction_sync_wedge"}],"mechanism":"The simulateTransaction RPC handler executes the BPF VM synchronously on the calling Tokio worker thread (no spawn_blocking interposed), and because sigVerify defaults off and simulation is gas-free, an attacker can submit CU-maximizing transactions against pre-loaded programs at no cost. Each concurrent request pins a shared executor thread for the full simulation duration, so per-worker throughput degrades proportionally to concurrent request count, exhausting the bounded async worker pool and starving all other RPC handlers sharing it. The fix-class is interposing async offload (spawn_blocking / dedicated thread pool with backpressure) plus request-side CU/cost accounting for simulate calls, not just on-chain compute budgets.","name":"async-runtime-blocking-vm-execution","provenance_note":"imported from nr_registry cluster 'async-runtime-blocking-vm-execution'","status":"active"},{"display_name":"Authentication Message Replay","external_references":[{"id":"CVE-2021-25835","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25835"}],"family":"network-p2p","first_seen":"2021-01-01","id":"NRDAX-T0007","instances":[],"mechanism":"Authentication Message Replay","name":"authentication-message-replay","provenance_note":"known-but-not-reproduced coverage gap (technique 'authentication-message-replay')","status":"active"},{"display_name":"Authorization Check Bypass RCE","external_references":[{"id":"CVE-2026-46716","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46716"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0008","instances":[],"mechanism":"Authorization Check Bypass RCE","name":"authorization-check-bypass-rce","provenance_note":"known-but-not-reproduced coverage gap (technique 'authorization-check-bypass-rce')","status":"active"},{"display_name":"Bit-Length Validation Panic","external_references":[{"id":"GHSA-7225-m954-23v7","kind":"ghsa","url":"https://github.com/advisories/GHSA-7225-m954-23v7"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0009","instances":[],"mechanism":"Bit-Length Validation Panic","name":"bit-length-validation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'bit-length-validation-panic')","status":"active"},{"display_name":"Block Processing Use-After-Free Crash","external_references":[{"id":"GHSA-fqr9-fxpx-rfpf","kind":"ghsa","url":"https://github.com/advisories/GHSA-fqr9-fxpx-rfpf"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0010","instances":[],"mechanism":"Block Processing Use-After-Free Crash","name":"block-processing-use-after-free-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'block-processing-use-after-free-crash')","status":"active"},{"display_name":"Block Replay Race Crash","external_references":[{"id":"GHREL-solana-labs-solana-v1.2.14","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0011","instances":[],"mechanism":"Block Replay Race Crash","name":"block-replay-race-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'block-replay-race-crash')","status":"active"},{"display_name":"Block Timestamp Validation Bypass","external_references":[{"id":"CVE-2020-8806","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8806"},{"id":"CVE-2022-37450","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-37450"},{"id":"CVE-2026-40093","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40093"},{"id":"GHSA-c32p-wcqj-j677","kind":"ghsa","url":"https://github.com/advisories/GHSA-c32p-wcqj-j677"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0012","instances":[],"mechanism":"Block Timestamp Validation Bypass","name":"block-timestamp-validation-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'block-timestamp-validation-bypass')","status":"active"},{"display_name":"Bloom Filter Divide-By-Zero Crash","external_references":[],"family":"compute_amp","first_seen":"2026-07-01","id":"NRDAX-T0013","instances":[{"bundle_ref":"btc_bloom_divzero","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2013-5700","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2013-5700"}],"fidelity":"lab","primitive_id":"btc_bloom_divzero"}],"mechanism":"CVE-2013-5700: empty BIP37 bloom filter → modulo-by-zero in CBloomFilter::Hash() → crash","name":"bloom-filter-divide-by-zero-crash","provenance_note":"imported from nr_registry cluster 'bloom-filter-divide-by-zero-crash'","status":"active"},{"display_name":"Certificate Revocation Bypass","external_references":[{"id":"GHSA-9f94-5g5w-gf6r","kind":"ghsa","url":"https://github.com/advisories/GHSA-9f94-5g5w-gf6r"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0014","instances":[],"mechanism":"Certificate Revocation Bypass","name":"certificate-revocation-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'certificate-revocation-bypass')","status":"active"},{"display_name":"Chain ID Validation Missing","external_references":[{"id":"CVE-2022-23507","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23507"}],"family":"crypto","first_seen":"2022-01-01","id":"NRDAX-T0015","instances":[],"mechanism":"Chain ID Validation Missing","name":"chain-id-validation-missing","provenance_note":"known-but-not-reproduced coverage gap (technique 'chain-id-validation-missing')","status":"active"},{"display_name":"ChainSync Jumping Protocol DoS","external_references":[{"id":"GHREL-IntersectMBO-cardano-node-10.2.1","kind":"vendor-advisory"},{"id":"GHREL-IntersectMBO-cardano-node-10.3.1","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.2.1","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0016","instances":[],"mechanism":"ChainSync Jumping Protocol DoS","name":"chainsync-jumping-protocol-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'chainsync-jumping-protocol-dos')","status":"active"},{"display_name":"Channel Access Control Bypass","external_references":[{"id":"CVE-2019-12999","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12999"}],"family":"economic-defi","first_seen":"2019-01-01","id":"NRDAX-T0017","instances":[],"mechanism":"Channel Access Control Bypass","name":"channel-access-control-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'channel-access-control-bypass')","status":"active"},{"display_name":"Channel Close State Race Stranding","external_references":[{"id":"GHPR-lightningnetwork-lnd-10782","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0018","instances":[],"mechanism":"Channel Close State Race Stranding","name":"channel-close-state-race-stranding","provenance_note":"known-but-not-reproduced coverage gap (technique 'channel-close-state-race-stranding')","status":"active"},{"display_name":"Channel Open Error Bypass","external_references":[{"id":"GHSA-79xg-q4qm-7v9w","kind":"ghsa","url":"https://github.com/advisories/GHSA-79xg-q4qm-7v9w"}],"family":"bridge","first_seen":"2020-01-01","id":"NRDAX-T0019","instances":[],"mechanism":"Channel Open Error Bypass","name":"channel-open-error-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'channel-open-error-bypass')","status":"active"},{"display_name":"Checkpoint Snapshot Signer Bypass","external_references":[{"id":"GHPR-ethereum-go-ethereum-17620","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0020","instances":[],"mechanism":"Checkpoint Snapshot Signer Bypass","name":"checkpoint-snapshot-signer-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'checkpoint-snapshot-signer-bypass')","status":"active"},{"display_name":"Claim Migration Fund Drain","external_references":[{"id":"CVE-2022-24738","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24738"}],"family":"bridge","first_seen":"2022-01-01","id":"NRDAX-T0021","instances":[],"mechanism":"Claim Migration Fund Drain","name":"claim-migration-fund-drain","provenance_note":"known-but-not-reproduced coverage gap (technique 'claim-migration-fund-drain')","status":"active"},{"display_name":"Client Library Supply Chain Compromise","external_references":[{"id":"CVE-2024-54134","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-54134"},{"id":"CVE-2025-32965","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32965"},{"id":"CVE-2026-44503","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44503"},{"id":"CVE-2026-45300","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45300"},{"id":"CVE-2026-55487","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55487"},{"id":"CVE-2026-55700","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55700"},{"id":"GHSA-qprh-m6p3-hwxc","kind":"ghsa","url":"https://github.com/advisories/GHSA-qprh-m6p3-hwxc"},{"id":"RUSTSEC-2023-0111","kind":"vendor-advisory","url":"https://rustsec.org/advisories/RUSTSEC-2023-0111.html"},{"id":"RUSTSEC-2023-0112","kind":"vendor-advisory","url":"https://rustsec.org/advisories/RUSTSEC-2023-0112.html"}],"family":"supply-chain","first_seen":"2024-01-01","id":"NRDAX-T0022","instances":[],"mechanism":"Client Library Supply Chain Compromise","name":"client-library-supply-chain-compromise","provenance_note":"known-but-not-reproduced coverage gap (technique 'client-library-supply-chain-compromise')","status":"active"},{"display_name":"Coalesced Packet Buffer Leak","external_references":[],"family":"memory_amp","first_seen":"2026-07-11","id":"NRDAX-T0023","instances":[{"bundle_ref":"lsquic_initial_prehandshake_leak","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2025-54939 (QUIC-LEAK) — Imperva disclosure (https://www.imperva.com/blog/quic-leak-cve-2025-54939-new-high-risk-pre-handshake-remote-denial-of-service-in-lsquic-quic-implementation/); LiteSpeed advisory https://blog.litespeedtech.com/2025/08/18/litespeed-security-update/. LSQUIC ('LiteSpeed QUIC (LSQUIC) Library LSQUIC Engine Packet In Memory Leak') coalesces multiple QUIC packets per UDP datagram and allocates one ~96-byte `packet_in` per coalesced packet; when trailing coalesced Initial packets fail DCID validation, `lsquic_engine.c` frees only the first packet's `packet_in` and never calls `lsquic_mm_put_packet_in` for the rest -> pre-handshake memory leak that bypasses all post-handshake connection/stream/flow limits -> OOM (~70% of bandwidth).","kind":"cve"}],"fidelity":"lab","primitive_id":"lsquic_initial_prehandshake_leak"}],"mechanism":"QUIC-LEAK / CVE-2025-54939: LSQUIC pre-handshake `packet_in` memory leak from coalesced Initial packets (CVSS 7.5 AV:N/AC:L/PR:N/UI:N/A:H, CWE-401+CWE-770; affected LSQUIC < 4.3.1, fixed 4.3.1 / OpenL","name":"coalesced-packet-buffer-leak","provenance_note":"imported from nr_registry cluster 'coalesced-packet-buffer-leak'","status":"active"},{"display_name":"Compact Block FillBlock Duplicate Crash","external_references":[],"family":"consensus_abuse","first_seen":"2026-07-07","id":"NRDAX-T0024","instances":[{"bundle_ref":"btc_blocktxn_double_fillblock","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/10/08/disclose-blocktxn-crash/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/10/08/disclose-blocktxn-crash/"}],"fidelity":"lab","primitive_id":"btc_blocktxn_double_fillblock"}],"mechanism":"CVE-2024-35202: blocktxn with txns not committed to the block merkle root → FillBlock called twice → assertion + node exit (Bitcoin Core <25.0)","name":"compact-block-fillblock-duplicate-crash","provenance_note":"imported from nr_registry cluster 'compact-block-fillblock-duplicate-crash'","status":"active"},{"display_name":"Compact Block Size Integer Overflow","external_references":[],"family":"memory_amp","first_seen":"2026-07-02","id":"NRDAX-T0025","instances":[{"bundle_ref":"btc_cmpctblock_overflow","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46597/","kind":"cve","url":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46597/"}],"fidelity":"lab","primitive_id":"btc_cmpctblock_overflow"}],"mechanism":"CVE-2025-46597: cmpctblock declaring >1GB short-ids → 32-bit size-calc overflow","name":"compact-block-size-integer-overflow","provenance_note":"imported from nr_registry cluster 'compact-block-size-integer-overflow'","status":"active"},{"display_name":"Compiler Execution Order Bug","external_references":[{"id":"CVE-2024-35229","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35229"}],"family":"economic-defi","first_seen":"2024-01-01","id":"NRDAX-T0026","instances":[],"mechanism":"Compiler Execution Order Bug","name":"compiler-execution-order-bug","provenance_note":"known-but-not-reproduced coverage gap (technique 'compiler-execution-order-bug')","status":"active"},{"display_name":"Compressed Message Checksum Bypass","external_references":[{"id":"GHSA-m9c9-mc2h-9wjw","kind":"ghsa","url":"https://github.com/advisories/GHSA-m9c9-mc2h-9wjw"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0027","instances":[],"mechanism":"Compressed Message Checksum Bypass","name":"compressed-message-checksum-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'compressed-message-checksum-bypass')","status":"active"},{"display_name":"Compressed Message Decompression Crash","external_references":[{"id":"CVE-2021-3520","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3520"},{"id":"CVE-2021-37137","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37137"},{"id":"CVE-2023-34453","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34453"},{"id":"CVE-2025-64702","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64702"},{"id":"GHSA-53rv-hcvm-rpp9","kind":"ghsa","url":"https://github.com/advisories/GHSA-53rv-hcvm-rpp9"}],"family":"network-p2p","first_seen":"2021-01-01","id":"NRDAX-T0028","instances":[],"mechanism":"Compressed Message Decompression Crash","name":"compressed-message-decompression-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'compressed-message-decompression-crash')","status":"active"},{"display_name":"Concurrent RPC Race Nil-Deref Panic","external_references":[{"id":"GHPR-Fantom-foundation-go-opera-283","kind":"vendor-advisory"},{"id":"GHPR-Fantom-foundation-go-opera-284","kind":"vendor-advisory"},{"id":"GHPR-erigontech-erigon-22338","kind":"vendor-advisory"},{"id":"GHPR-erigontech-erigon-22383","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0029","instances":[],"mechanism":"Concurrent RPC Race Nil-Deref Panic","name":"concurrent-rpc-race-nil-deref-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'concurrent-rpc-race-nil-deref-panic')","status":"active"},{"display_name":"Connection Failure Panic Crash","external_references":[{"id":"GHPR-tonkeeper-tongo-486","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v2.2.0-testnet","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.9","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0030","instances":[],"mechanism":"Connection Failure Panic Crash","name":"connection-failure-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'connection-failure-panic-crash')","status":"active"},{"display_name":"Consensus Deadlock Vote Race","external_references":[{"id":"GHPR-cometbft-cometbft-5839","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0031","instances":[],"mechanism":"Consensus Deadlock Vote Race","name":"consensus-deadlock-vote-race","provenance_note":"known-but-not-reproduced coverage gap (technique 'consensus-deadlock-vote-race')","status":"active"},{"display_name":"Consensus Future Vote OOM","external_references":[{"id":"GHPR-starkware-libs-sequencer-14757","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0032","instances":[],"mechanism":"Consensus Future Vote OOM","name":"consensus-future-vote-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'consensus-future-vote-oom')","status":"active"},{"display_name":"Consensus Message Crash DoS","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v0.1.6","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.10.0-beta.2","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.36.5","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v0.16.1","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.17.24","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0033","instances":[],"mechanism":"Consensus Message Crash DoS","name":"consensus-message-crash-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'consensus-message-crash-dos')","status":"active"},{"display_name":"Container Escape via Dependency","external_references":[{"id":"CVE-2019-19921","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-19921"},{"id":"CVE-2026-43999","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43999"},{"id":"CVE-2026-44009","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44009"},{"id":"GHSA-6jcq-6546-qrrw","kind":"ghsa","url":"https://github.com/advisories/GHSA-6jcq-6546-qrrw"},{"id":"GHSA-vmmj-pfw7-fjwp","kind":"ghsa","url":"https://github.com/advisories/GHSA-vmmj-pfw7-fjwp"}],"family":"supply-chain","first_seen":"2019-01-01","id":"NRDAX-T0034","instances":[],"mechanism":"Container Escape via Dependency","name":"container-escape-dependency","provenance_note":"known-but-not-reproduced coverage gap (technique 'container-escape-dependency')","status":"active"},{"display_name":"Contract Activation Compute Exhaustion","external_references":[{"id":"GHPR-OffchainLabs-nitro-4556","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0035","instances":[],"mechanism":"Contract Activation Compute Exhaustion","name":"contract-activation-compute-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'contract-activation-compute-exhaustion')","status":"active"},{"display_name":"Contract Execution Engine Crash","external_references":[{"id":"GHREL-near-nearcore-1.25.0","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.7.0-rc.4","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0036","instances":[],"mechanism":"Contract Execution Engine Crash","name":"contract-execution-engine-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'contract-execution-engine-crash')","status":"active"},{"display_name":"Contract Logic Validation Bypass","external_references":[{"id":"CVE-2022-35917","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35917"},{"id":"CVE-2023-34449","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34449"},{"id":"CVE-2026-26267","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26267"},{"id":"CVE-2026-45137","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45137"},{"id":"GHSA-429q-fhh4-r6hj","kind":"ghsa","url":"https://github.com/advisories/GHSA-429q-fhh4-r6hj"},{"id":"GHPR-stellar-rs-soroban-env-1250","kind":"vendor-advisory"}],"family":"economic-defi","first_seen":"2022-01-01","id":"NRDAX-T0037","instances":[],"mechanism":"Contract Logic Validation Bypass","name":"contract-logic-validation-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'contract-logic-validation-bypass')","status":"active"},{"display_name":"Count Underflow Header Serving Amplification","external_references":[],"family":"memory_amp","first_seen":"2026-07-07","id":"NRDAX-T0038","instances":[{"bundle_ref":"geth_getblockheaders_count_zero","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652","kind":"ghsa","url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-4xc9-8hmq-j652"}],"fidelity":"lab","primitive_id":"geth_getblockheaders_count_zero"}],"mechanism":"CVE-2024-32972: eth GetBlockHeaders amount=0 → count-1 underflows to UINT64_MAX → bypasses maxHeadersServe → serves all headers to genesis → memory exhaustion (geth <1.13.15)","name":"count-underflow-header-serving-amplification","provenance_note":"imported from nr_registry cluster 'count-underflow-header-serving-amplification'","status":"active"},{"display_name":"Crafted Packet Node Crash","external_references":[{"id":"GHSA-qjcv-rx3v-7mvj","kind":"ghsa","url":"https://github.com/advisories/GHSA-qjcv-rx3v-7mvj"},{"id":"GO-2023-1860","kind":"vendor-advisory","url":"https://pkg.go.dev/vuln/GO-2023-1860"}],"family":"bridge","first_seen":"2020-01-01","id":"NRDAX-T0039","instances":[],"mechanism":"Crafted Packet Node Crash","name":"crafted-packet-node-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'crafted-packet-node-crash')","status":"active"},{"display_name":"Crafted Transaction Processing DoS","external_references":[{"id":"CVE-2025-46598","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46598"},{"id":"GHSA-4j93-fm92-rp4m","kind":"ghsa","url":"https://github.com/advisories/GHSA-4j93-fm92-rp4m"},{"id":"GHSA-8pfh-j44r-f654","kind":"ghsa","url":"https://github.com/advisories/GHSA-8pfh-j44r-f654"},{"id":"GHPR-XRPLF-clio-708","kind":"vendor-advisory"},{"id":"GHPR-cosmos-cosmos-sdk-26518","kind":"vendor-advisory"},{"id":"GHPR-ethereum-optimism-optimism-19728","kind":"vendor-advisory"},{"id":"GHPR-move-language-move-750","kind":"vendor-advisory"},{"id":"GHPR-move-language-move-802","kind":"vendor-advisory"},{"id":"GHPR-move-language-move-840","kind":"vendor-advisory"},{"id":"GHPR-stellar-rs-soroban-env-460","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v2.3.4-2-beta","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v2.3.4-2-testnet","kind":"vendor-advisory"},{"id":"GHREL-IntersectMBO-cardano-node-8.9.4","kind":"vendor-advisory"},{"id":"GHREL-firedancer-io-firedancer-v0.808.30014","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-2.6.5","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.13","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2025-01-01","id":"NRDAX-T0040","instances":[],"mechanism":"Crafted Transaction Processing DoS","name":"crafted-tx-processing-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'crafted-tx-processing-dos')","status":"active"},{"display_name":"Cross-Chain Peer Pool Pollution","external_references":[{"id":"SLOWMIST-ALIEN-ATTACK","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2026-07-08","id":"NRDAX-T0041","instances":[{"bundle_ref":"geth_alien_peer_pool_pollution","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md","kind":"vendor-advisory","url":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md"}],"fidelity":"lab","primitive_id":"geth_alien_peer_pool_pollution"}],"mechanism":"Alien Attack (SlowMist 'peer-pool pollution'): a same-family but DIFFERENT-chain peer completes the chain-agnostic RLPx ECIES handshake + devp2p Hello and is admitted to the eth handshake; the chain c","name":"cross-chain-peer-pool-pollution","provenance_note":"imported from nr_registry cluster 'cross-chain-peer-pool-pollution'","status":"active"},{"display_name":"Crypto Frame Reassembly Buffer Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0042","instances":[{"bundle_ref":"quiche_crypto_frame_flood","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2024-1765 / GHSA-78wx-jg4j-5j6g — cloudflare/quiche: 'Unlimited resource allocation by QUIC CRYPTO frames flooding.' A remote peer repeatedly sends an unlimited number of QUIC CRYPTO frames (type 0x06) over an established connection; quiche buffered the CRYPTO reassembly stream without bounding total retained state, so the flood makes memory usage of the quiche server OR client climb for the duration of the connection (availability DoS, CVSS 3.1 5.9). Affected quiche <= 0.19.1, 0.20.0; fixed in 0.19.2, 0.20.1. Reported by Marten Seemann. Advisory: https://github.com/cloudflare/quiche/security/advisories/GHSA-78wx-jg4j-5j6g","kind":"cve"}],"fidelity":"lab","primitive_id":"quiche_crypto_frame_flood"},{"bundle_ref":"s2n_quic_crypto_offset_amplification","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2026-10740 / GHSA-9q54-f358-3fqf — aws/s2n-quic: CRYPTO-frame offset amplification. The CRYPTO-frame reassembly buffer lacks maximum-size enforcement, so a CRYPTO frame (type 0x06) carrying an artificially HIGH offset forces the receiver to reserve reassembly buffer up to that offset even though the delivered body is tiny: a single ~1200-byte packet causes ~9.4 MB of allocation (~7800x). No authentication or valid handshake is required — the crafted CRYPTO frames ride pre-handshake QUIC Initial packets, so an unauthenticated peer can repeatedly transmit them to exhaust server memory (availability DoS, CVSS 3.1 5.3). Affected s2n-quic <= 1.81.0; fixed in 1.82.0. Advisory: https://github.com/aws/s2n-quic/security/advisories/GHSA-9q54-f358-3fqf","kind":"cve"}],"fidelity":"lab","primitive_id":"s2n_quic_crypto_offset_amplification"}],"mechanism":"quiche QUIC CRYPTO-frame flood (CVE-2024-1765): flood of QUIC long-header packets each carrying a CRYPTO frame (type 0x06) whose offset escalates by a fixed stride (4096) — leaving the crypto reassemb","name":"crypto-frame-reassembly-buffer-exhaustion","provenance_note":"imported from nr_registry cluster 'crypto-frame-reassembly-buffer-exhaustion'","status":"active"},{"display_name":"Crypto Input Panic Crash","external_references":[{"id":"GHSA-82j2-j2ch-gfr8","kind":"ghsa","url":"https://github.com/advisories/GHSA-82j2-j2ch-gfr8"},{"id":"GHSA-hc3c-63hc-2r9f","kind":"ghsa","url":"https://github.com/advisories/GHSA-hc3c-63hc-2r9f"},{"id":"GHSA-xrf2-5r3p-5wgj","kind":"ghsa","url":"https://github.com/advisories/GHSA-xrf2-5r3p-5wgj"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0043","instances":[],"mechanism":"Crypto Input Panic Crash","name":"crypto-input-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'crypto-input-panic-crash')","status":"active"},{"display_name":"Data Limit Bypass State Bloat","external_references":[{"id":"CVE-2023-50428","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-50428"},{"id":"GHSA-2x4w-pxqw-58v9","kind":"ghsa","url":"https://github.com/advisories/GHSA-2x4w-pxqw-58v9"},{"id":"GHPR-XRPLF-rippled-7788","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.18.2.2","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.16.21","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2023-01-01","id":"NRDAX-T0044","instances":[],"mechanism":"Data Limit Bypass State Bloat","name":"data-limit-bypass-state-bloat","provenance_note":"known-but-not-reproduced coverage gap (technique 'data-limit-bypass-state-bloat')","status":"active"},{"display_name":"Declare Transaction Compilation CPU Exhaustion","external_references":[{"id":"GHPR-starkware-libs-sequencer-14552","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0045","instances":[],"mechanism":"Declare Transaction Compilation CPU Exhaustion","name":"declare-transaction-compilation-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'declare-transaction-compilation-cpu-exhaustion')","status":"active"},{"display_name":"Decompression Bomb Resource Exhaustion","external_references":[{"id":"CVE-2019-25072","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25072"},{"id":"CVE-2021-37136","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37136"},{"id":"CVE-2026-42587","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42587"}],"family":"memory_amp","first_seen":"2019-01-01","id":"NRDAX-T0046","instances":[{"bundle_ref":"quic_go_qpack_decompression_bomb","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2025-64702 / GHSA-g754-hx8w-x2g6 — quic-go/quic-go: 'HTTP/3 QPACK Header Expansion Memory Exhaustion.' quic-go's HTTP/3 decoder limits the ENCODED HEADERS frame size (1 MB (http3.Server.MaxHeaderBytes) server / 10 MB (http3.Transport.MaxResponseHeaderBytes) client) but not the DECODED field-section size. A crafted QPACK HEADERS block that densely references long static-table entries decompresses to ~50x its encoded size; RFC 9114 requires enforcing SETTINGS_MAX_FIELD_SECTION_SIZE, which quic-go <= v0.56.0 did not, so the decoder allocates the fully-expanded field section unbounded -> memory exhaustion (availability DoS, severity Moderate, CVSS 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Fixed v0.57.0 (SETTINGS_MAX_FIELD_SECTION_SIZE + incremental QPACK decoding, abort early). Affected quic-go <= v0.56.0. Reported by sfoxio. Advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-g754-hx8w-x2g6","kind":"cve"}],"fidelity":"lab","primitive_id":"quic_go_qpack_decompression_bomb"}],"mechanism":"quic-go HTTP/3 QPACK decompression-bomb memory exhaustion (CVE-2025-64702): a flood of QUIC v1 short-header (1-RTT) packets, each carrying a STREAM frame (type 0x0b) on a fresh client bidi stream whos","name":"decompression-bomb-resource-exhaustion","provenance_note":"imported from nr_registry cluster 'decompression-bomb-resource-exhaustion'","status":"active"},{"display_name":"Default Secret Token Forgery","external_references":[{"id":"GHSA-cwj8-7gp2-ggcw","kind":"ghsa","url":"https://github.com/advisories/GHSA-cwj8-7gp2-ggcw"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0047","instances":[],"mechanism":"Default Secret Token Forgery","name":"default-secret-token-forgery","provenance_note":"known-but-not-reproduced coverage gap (technique 'default-secret-token-forgery')","status":"active"},{"display_name":"Dependency Use-After-Free Corruption","external_references":[{"id":"CVE-2026-11941","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-11941"}],"family":"supply-chain","first_seen":"2026-01-01","id":"NRDAX-T0048","instances":[],"mechanism":"Dependency Use-After-Free Corruption","name":"dependency-use-after-free-corruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'dependency-use-after-free-corruption')","status":"active"},{"display_name":"DHT PUT_VALUE Disk Exhaustion","external_references":[{"id":"CVE-2026-45783","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45783"},{"id":"GHPR-ACINQ-eclair-2566","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0049","instances":[],"mechanism":"DHT PUT_VALUE Disk Exhaustion","name":"dht-put-value-disk-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'dht-put-value-disk-exhaustion')","status":"active"},{"display_name":"DHT Sybil Content Censorship","external_references":[{"id":"CVE-2023-26248","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26248"}],"family":"gossip_abuse","first_seen":"2023-01-01","id":"NRDAX-T0050","instances":[{"bundle_ref":"ipfs_dht_sybil_censorship","chain":"ipfs","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-mqr9-hjr8-2m9w","kind":"ghsa","url":"https://github.com/advisories/GHSA-mqr9-hjr8-2m9w"}],"fidelity":"lab","primitive_id":"ipfs_dht_sybil_censorship"}],"mechanism":"CVE-2023-26248 / GHSA-mqr9-hjr8-2m9w: Content Censorship in IPFS via Kademlia DHT abuse. The libp2p Kademlia DHT (go-libp2p-kad-dht (Go; as shipped in go-ipfs/kubo), affected go-libp2p-kad-dht <= 0.20","name":"dht-sybil-content-censorship","provenance_note":"imported from nr_registry cluster 'dht-sybil-content-censorship'","status":"active"},{"display_name":"Dial Worker Panic Crash","external_references":[{"id":"GHPR-libp2p-go-libp2p-2324","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0051","instances":[],"mechanism":"Dial Worker Panic Crash","name":"dial-worker-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'dial-worker-panic-crash')","status":"active"},{"display_name":"DNS Rebinding SSRF Bypass","external_references":[{"id":"GHSA-rjvw-7vvw-549v","kind":"ghsa","url":"https://github.com/advisories/GHSA-rjvw-7vvw-549v"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0052","instances":[],"mechanism":"DNS Rebinding SSRF Bypass","name":"dns-rebinding-ssrf-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'dns-rebinding-ssrf-bypass')","status":"active"},{"display_name":"DNS Response Parsing Panic Crash","external_references":[{"id":"GHPR-lightningnetwork-lnd-10914","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0053","instances":[],"mechanism":"DNS Response Parsing Panic Crash","name":"dns-response-parsing-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'dns-response-parsing-panic-crash')","status":"active"},{"display_name":"DNSSEC Validation Bypass Cache Poisoning","external_references":[{"id":"GHSA-x845-2f78-7v36","kind":"ghsa","url":"https://github.com/advisories/GHSA-x845-2f78-7v36"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0054","instances":[],"mechanism":"DNSSEC Validation Bypass Cache Poisoning","name":"dnssec-validation-bypass-cache-poisoning","provenance_note":"known-but-not-reproduced coverage gap (technique 'dnssec-validation-bypass-cache-poisoning')","status":"active"},{"display_name":"Duplicate-Input Block Crash","external_references":[{"id":"CVE-2018-17144","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17144"}],"family":"network-p2p","first_seen":"2018-01-01","id":"NRDAX-T0055","instances":[],"mechanism":"Duplicate-Input Block Crash","name":"duplicate-input-block-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'duplicate-input-block-crash')","status":"active"},{"display_name":"Duplicate Input Validation-Bypass Crash","external_references":[{"id":"GHPR-anza-xyz-agave-13608","kind":"vendor-advisory"}],"family":"consensus_abuse","first_seen":"2026-07-08","id":"NRDAX-T0056","instances":[{"bundle_ref":"bitcoin_dup_input_crash","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2018/09/20/notice/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2018/09/20/notice/"}],"fidelity":"lab","primitive_id":"bitcoin_dup_input_crash"}],"mechanism":"CVE-2018-17144: a block whose tx spends one outpoint twice (duplicate inputs); the 0.14 pre-relay optimization (PR#9049) skipped the duplicate-input check → assert(!coin.IsNull()) crash (0.14.x) / sup","name":"duplicate-input-validation-bypass-crash","provenance_note":"imported from nr_registry cluster 'duplicate-input-validation-bypass-crash'","status":"active"},{"display_name":"Duplicate Proof Memory Leak DoS","external_references":[{"id":"GHREL-anza-xyz-agave-v2.0.3","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0057","instances":[],"mechanism":"Duplicate Proof Memory Leak DoS","name":"duplicate-proof-memory-leak-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'duplicate-proof-memory-leak-dos')","status":"active"},{"display_name":"Duplicate Record Constraint Crash","external_references":[{"id":"GHPR-ACINQ-eclair-3037","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0058","instances":[],"mechanism":"Duplicate Record Constraint Crash","name":"duplicate-record-constraint-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'duplicate-record-constraint-crash')","status":"active"},{"display_name":"Duplicate Transport Parameter Memory Leak","external_references":[],"family":"memory_amp","first_seen":"2026-07-11","id":"NRDAX-T0059","instances":[{"bundle_ref":"msquic_dup_tp_versioninfo_leak","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2024-26190 / GHSA-2x7m-gf85-3745 — microsoft/msquic: 'Remote Denial of Service Vulnerability' — memory leak from multiple decodes of the QUIC transport parameters TLS extension. A remote unauthenticated peer sends a ClientHello whose TLS extension list contains multiple duplicate quic_transport_parameters extensions (ext type 0x0039), each carrying a version_information transport parameter (TP id 0x11); QuicCryptoTlsReadExtensions did not reject the duplicate, so QuicCryptoTlsDecodeTransportParameters ran once per occurrence, each CXPLAT_ALLOC'ing a fresh VersionInfo (QUIC_POOL_VERSION_INFO) and then zeroing the struct without freeing the prior pointer -> one leaked allocation per duplicate. 'The MsQuic server will continue to leak memory until no more is available, resulting in a denial of service.' CVSS 3.1 7.5 (High; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Affected msquic < 2.1.12 (2.1.x), < 2.2.7 (2.2.x), < 2.3.5; fixed 2.1.12, 2.2.7, 2.3.5 (commit d364feeda0dd). Advisory: https://github.com/microsoft/msquic/security/advisories/GHSA-2x7m-gf85-3745","kind":"cve"}],"fidelity":"lab","primitive_id":"msquic_dup_tp_versioninfo_leak"}],"mechanism":"msquic duplicate-transport-parameters VersionInfo leak (CVE-2024-26190): flood of QUIC v1 Initial packets (distinct SCID / new connection each), every Initial carrying a CRYPTO frame (type 0x06) whose","name":"duplicate-transport-parameter-memory-leak","provenance_note":"imported from nr_registry cluster 'duplicate-transport-parameter-memory-leak'","status":"active"},{"display_name":"Duplicate Transaction Memory Leak","external_references":[{"id":"CVE-2023-34451","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34451"}],"family":"ledger-tx","first_seen":"2023-01-01","id":"NRDAX-T0060","instances":[],"mechanism":"Duplicate Transaction Memory Leak","name":"duplicate-tx-memory-leak","provenance_note":"known-but-not-reproduced coverage gap (technique 'duplicate-tx-memory-leak')","status":"active"},{"display_name":"Duplicate Tx Mempool Index Desync","external_references":[],"family":"memory_amp","first_seen":"2026-07-09","id":"NRDAX-T0061","instances":[{"bundle_ref":"cometbft_mempool_dup_tx_leak","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffm","kind":"ghsa","url":"https://github.com/cometbft/cometbft/security/advisories/GHSA-w24w-wp77-qffm"}],"fidelity":"proxy","primitive_id":"cometbft_mempool_dup_tx_leak"}],"mechanism":"CVE-2023-34451 (GHSA-w24w-wp77-qffm): the mempool's list + map index each other and can desync so the SAME tx appears multiple times in the list and can no longer be fully removed (only a restart clea","name":"duplicate-tx-mempool-index-desync","provenance_note":"imported from nr_registry cluster 'duplicate-tx-mempool-index-desync'","status":"active"},{"display_name":"Dust Output Consensus Mishandling","external_references":[{"id":"CVE-2021-41592","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41592"}],"family":"network-p2p","first_seen":"2021-01-01","id":"NRDAX-T0062","instances":[],"mechanism":"Dust Output Consensus Mishandling","name":"dust-output-consensus-mishandling","provenance_note":"known-but-not-reproduced coverage gap (technique 'dust-output-consensus-mishandling')","status":"active"},{"display_name":"Dust Value Griefing","external_references":[{"id":"CVE-2021-41593","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41593"}],"family":"economic-defi","first_seen":"2021-01-01","id":"NRDAX-T0063","instances":[],"mechanism":"Dust Value Griefing","name":"dust-value-griefing","provenance_note":"known-but-not-reproduced coverage gap (technique 'dust-value-griefing')","status":"active"},{"display_name":"Endpoint Concurrency Cap Exhaustion","external_references":[{"id":"GHREL-near-nearcore-1.0.0","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2026-07-04","id":"NRDAX-T0064","instances":[{"bundle_ref":"cosmos_grpc_stream_flood","chain":"cosmos","discovery_origin":"original-research","external_references":[],"fidelity":"lab","primitive_id":"cosmos_grpc_stream_flood"},{"bundle_ref":"http2_settings_ack_stream_cap_bypass","chain":"http2","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"lab","primitive_id":"http2_settings_ack_stream_cap_bypass"},{"bundle_ref":"ic_xnet_concurrency_cap","chain":"ic","discovery_origin":"original-research","external_references":[{"id":"https://github.com/dfinity/ic — rs/http_endpoints/xnet/src/lib.rs:54 (const XNET_ENDPOINT_MAX_CONCURRENT_REQUESTS: usize = 4), :156-168 (try_acquire_owned() NON-BLOCKING; overflow returns 503 body \"Queue full\" immediately, no queue), :214 (Semaphore::new(XNET_ENDPOINT_MAX_CONCURRENT_REQUESTS)), :261 (tls.server_config(SomeOrAllNodes::All) admits ANY registered IC node); compounds with rs/xnet/payload_builder/src/certified_slice_pool.rs:405 (byte_limit.unwrap_or(usize::MAX), no clamp on the byte_limit query param).","kind":"vendor-advisory","url":"https://github.com/dfinity/ic — rs/http_endpoints/xnet/src/lib.rs:54 (const XNET_ENDPOINT_MAX_CONCURRENT_REQUESTS: usize = 4), :156-168 (try_acquire_owned() NON-BLOCKING; overflow returns 503 body \"Queue full\" immediately, no queue), :214 (Semaphore::new(XNET_ENDPOINT_MAX_CONCURRENT_REQUESTS)), :261 (tls.server_config(SomeOrAllNodes::All) admits ANY registered IC node); compounds with rs/xnet/payload_builder/src/certified_slice_pool.rs:405 (byte_limit.unwrap_or(usize::MAX), no clamp on the byte_limit query param)."}],"fidelity":"lab","primitive_id":"ic_xnet_concurrency_cap"},{"bundle_ref":"iota_grpc_stream_cap_dos","chain":"iota","discovery_origin":"original-research","external_references":[],"fidelity":"lab","primitive_id":"iota_grpc_stream_cap_dos"},{"bundle_ref":"kaspa_grpc_h2_preauth_stream_flood","chain":"kaspa","discovery_origin":"original-research","external_references":[{"id":"KAS-H1 measured 2026-06-02; connection_handler.rs:222","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"kaspa_grpc_h2_preauth_stream_flood"}],"mechanism":"cosmos-sdk server/grpc/server.go grpc.NewServer w/o grpc.MaxConcurrentStreams -> grpc-go default effectively unbounded + no SETTINGS_MAX_CONCURRENT_STREAMS signalled; attacker holds many HTTP/2 stream","name":"endpoint-concurrency-cap-exhaustion","provenance_note":"imported from nr_registry cluster 'endpoint-concurrency-cap-exhaustion'","status":"active"},{"display_name":"Engine API Deadlock","external_references":[{"id":"GHPR-ethereum-optimism-optimism-21348","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0065","instances":[],"mechanism":"Engine API Deadlock","name":"engine-api-deadlock","provenance_note":"known-but-not-reproduced coverage gap (technique 'engine-api-deadlock')","status":"active"},{"display_name":"Epoch Boundary Crash Loop","external_references":[{"id":"GHREL-MystenLabs-sui-testnet-v1.46.1","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.37.0-rc.3","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0066","instances":[],"mechanism":"Epoch Boundary Crash Loop","name":"epoch-boundary-crash-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'epoch-boundary-crash-loop')","status":"active"},{"display_name":"Epoch Height Source Lag Stall","external_references":[{"id":"GHPR-starkware-libs-sequencer-14698","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0067","instances":[],"mechanism":"Epoch Height Source Lag Stall","name":"epoch-height-source-lag-stall","provenance_note":"known-but-not-reproduced coverage gap (technique 'epoch-height-source-lag-stall')","status":"active"},{"display_name":"Equivocation Evidence Window Bypass","external_references":[{"id":"GHSA-555p-m4v6-cqxv","kind":"ghsa","url":"https://github.com/advisories/GHSA-555p-m4v6-cqxv"},{"id":"GHSA-83qr-9v2h-qxp4","kind":"ghsa","url":"https://github.com/advisories/GHSA-83qr-9v2h-qxp4"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0068","instances":[],"mechanism":"Equivocation Evidence Window Bypass","name":"equivocation-evidence-window-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'equivocation-evidence-window-bypass')","status":"active"},{"display_name":"Equivocation Storm Liveness DoS","external_references":[{"id":"GHREL-paritytech-polkadot-sdk-polkadot-stable2412-7","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0069","instances":[],"mechanism":"Equivocation Storm Liveness DoS","name":"equivocation-storm-liveness-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'equivocation-storm-liveness-dos')","status":"active"},{"display_name":"Ethash Cache Generation Memory Exhaustion","external_references":[{"id":"CVE-2021-42219","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-42219"}],"family":"network-p2p","first_seen":"2021-01-01","id":"NRDAX-T0070","instances":[],"mechanism":"Ethash Cache Generation Memory Exhaustion","name":"ethash-cache-generation-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'ethash-cache-generation-memory-exhaustion')","status":"active"},{"display_name":"Ethash Verification Memory Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-09","id":"NRDAX-T0071","instances":[{"bundle_ref":"geth_ethash_memory_exhaustion_dos","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2021-42219 — https://nvd.nist.gov/vuln/detail/CVE-2021-42219 (MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42219). go-ethereum v1.10.9 remote DoS: an excessive amount of block/header messages to a node drives repeated ethash cache generation in consensus/ethash/algorithm.go -> memory exhaustion. CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). No vendor GHSA (third-party exploit-doc ref).","kind":"cve"}],"fidelity":"lab","primitive_id":"geth_ethash_memory_exhaustion_dos"}],"mechanism":"CVE-2021-42219: go-ethereum v1.10.9 (and earlier pre-Merge ethash-verifying geth) — an unauthenticated remote peer floods a node with an excessive amount of block/header messages; to verify each block","name":"ethash-verification-memory-exhaustion","provenance_note":"imported from nr_registry cluster 'ethash-verification-memory-exhaustion'","status":"active"},{"display_name":"Event Stream Endpoint Crash DoS","external_references":[{"id":"CVE-2025-22870","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22870"},{"id":"CVE-2025-22872","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22872"},{"id":"CVE-2025-30204","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30204"}],"family":"network-rpc","first_seen":"2025-01-01","id":"NRDAX-T0072","instances":[],"mechanism":"Event Stream Endpoint Crash DoS","name":"event-stream-endpoint-crash-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'event-stream-endpoint-crash-dos')","status":"active"},{"display_name":"Evidence Timestamp Inconsistency DoS","external_references":[{"id":"CVE-2021-21271","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21271"}],"family":"consensus","first_seen":"2021-01-01","id":"NRDAX-T0073","instances":[],"mechanism":"Evidence Timestamp Inconsistency DoS","name":"evidence-timestamp-inconsistency-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'evidence-timestamp-inconsistency-dos')","status":"active"},{"display_name":"EVM Memory Corruption Consensus Split","external_references":[{"id":"CVE-2021-39137","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-39137"}],"family":"consensus","first_seen":"2021-01-01","id":"NRDAX-T0074","instances":[],"mechanism":"EVM Memory Corruption Consensus Split","name":"evm-memory-corruption-consensus-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'evm-memory-corruption-consensus-split')","status":"active"},{"display_name":"EVM Opcode/Precompile Semantics Divergence","external_references":[{"id":"CVE-2021-41153","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41153"},{"id":"CVE-2021-41272","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41272"},{"id":"CVE-2025-30147","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30147"}],"family":"consensus","first_seen":"2021-01-01","id":"NRDAX-T0075","instances":[],"mechanism":"EVM Opcode/Precompile Semantics Divergence","name":"evm-opcode-precompile-semantics-divergence","provenance_note":"known-but-not-reproduced coverage gap (technique 'evm-opcode-precompile-semantics-divergence')","status":"active"},{"display_name":"Expensive Debug RPC Compute Amplification","external_references":[{"id":"GHPR-cosmos-cosmos-sdk-26572","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-devnet-v1.50.0","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-mainnet-v1.3.1","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-testnet-v1.50.1","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.17.3.0","kind":"vendor-advisory"}],"family":"compute_amp","first_seen":"2026-07-01","id":"NRDAX-T0076","instances":[{"bundle_ref":"eth_debug_tracecall_compute","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"https://geth.ethereum.org/docs/interacting-with-geth/rpc","kind":"vendor-advisory","url":"https://geth.ethereum.org/docs/interacting-with-geth/rpc"}],"fidelity":"lab","primitive_id":"eth_debug_tracecall_compute"}],"mechanism":"debug_traceCall compute amplification (geth: debug API is DoS-prone, do not expose)","name":"expensive-debug-rpc-compute-amplification","provenance_note":"imported from nr_registry cluster 'expensive-debug-rpc-compute-amplification'","status":"active"},{"display_name":"Fast Sync Pivot Failure Abort","external_references":[{"id":"GHPR-ethereum-go-ethereum-2647","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0077","instances":[],"mechanism":"Fast Sync Pivot Failure Abort","name":"fast-sync-pivot-failure-abort","provenance_note":"known-but-not-reproduced coverage gap (technique 'fast-sync-pivot-failure-abort')","status":"active"},{"display_name":"Fee-Bump Replacement Policy Bypass","external_references":[{"id":"CVE-2021-31876","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-31876"}],"family":"ledger-tx","first_seen":"2021-01-01","id":"NRDAX-T0078","instances":[],"mechanism":"Fee-Bump Replacement Policy Bypass","name":"fee-bump-policy-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'fee-bump-policy-bypass')","status":"active"},{"display_name":"Field Element Comparison Bypass","external_references":[{"id":"CVE-2026-32322","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32322"}],"family":"crypto","first_seen":"2026-01-01","id":"NRDAX-T0079","instances":[],"mechanism":"Field Element Comparison Bypass","name":"field-element-comparison-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'field-element-comparison-bypass')","status":"active"},{"display_name":"Finality Justification Cache Bypass","external_references":[{"id":"CVE-2025-59941","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59941"}],"family":"consensus","first_seen":"2025-01-01","id":"NRDAX-T0080","instances":[],"mechanism":"Finality Justification Cache Bypass","name":"finality-justification-cache-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'finality-justification-cache-bypass')","status":"active"},{"display_name":"Force-Retire Integer Overflow Crash","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v3.0.3-testnet","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0081","instances":[],"mechanism":"Force-Retire Integer Overflow Crash","name":"force-retire-integer-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'force-retire-integer-overflow-crash')","status":"active"},{"display_name":"Forged Commit Future Height Light Client Attack","external_references":[{"id":"GHSA-f3w5-v9xx-rp8p","kind":"ghsa","url":"https://github.com/advisories/GHSA-f3w5-v9xx-rp8p"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0082","instances":[],"mechanism":"Forged Commit Future Height Light Client Attack","name":"forged-commit-future-height-light-client-attack","provenance_note":"known-but-not-reproduced coverage gap (technique 'forged-commit-future-height-light-client-attack')","status":"active"},{"display_name":"Frame Parsing Memory Amplification","external_references":[{"id":"CVE-2026-35469","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35469"},{"id":"GHSA-4w2j-m93h-cj5j","kind":"ghsa","url":"https://github.com/advisories/GHSA-4w2j-m93h-cj5j"},{"id":"GHPR-Conflux-Chain-conflux-rust-3541","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0083","instances":[],"mechanism":"Frame Parsing Memory Amplification","name":"frame-parsing-memory-amplification","provenance_note":"known-but-not-reproduced coverage gap (technique 'frame-parsing-memory-amplification')","status":"active"},{"display_name":"Gas Accounting Panic Bypass","external_references":[{"id":"GHPR-osmosis-labs-osmosis-9511","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0084","instances":[],"mechanism":"Gas Accounting Panic Bypass","name":"gas-accounting-panic-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'gas-accounting-panic-bypass')","status":"active"},{"display_name":"Gas Limit Capacity Exhaustion","external_references":[{"id":"GHPR-ava-labs-avalanchego-5424","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0085","instances":[],"mechanism":"Gas Limit Capacity Exhaustion","name":"gas-limit-capacity-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'gas-limit-capacity-exhaustion')","status":"active"},{"display_name":"Gas Price Margin Integer Overflow","external_references":[{"id":"GHPR-starkware-libs-sequencer-14589","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0086","instances":[],"mechanism":"Gas Price Margin Integer Overflow","name":"gas-price-margin-integer-overflow","provenance_note":"known-but-not-reproduced coverage gap (technique 'gas-price-margin-integer-overflow')","status":"active"},{"display_name":"Genesis Migration Timing Panic","external_references":[{"id":"GHPR-anza-xyz-agave-13750","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0087","instances":[],"mechanism":"Genesis Migration Timing Panic","name":"genesis-migration-timing-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'genesis-migration-timing-panic')","status":"active"},{"display_name":"GetData Request Flood","external_references":[{"id":"GHPR-btcsuite-btcd-611","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2026-07-01","id":"NRDAX-T0088","instances":[{"bundle_ref":"btc_getdata_flood","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose-getdata-cpu/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose-getdata-cpu/"}],"fidelity":"lab","primitive_id":"btc_getdata_flood"}],"mechanism":"CVE-2024-52920 class: oversized GETDATA processing load","name":"getdata-request-flood","provenance_note":"imported from nr_registry cluster 'getdata-request-flood'","status":"active"},{"display_name":"Gossip Attestation Index OOM","external_references":[{"id":"GHPR-sigp-lighthouse-9141","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0089","instances":[],"mechanism":"Gossip Attestation Index OOM","name":"gossip-attestation-index-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'gossip-attestation-index-oom')","status":"active"},{"display_name":"Gossip Message Deadlock Stall","external_references":[{"id":"GHREL-paritytech-polkadot-sdk-polkadot-stable2506-3","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0090","instances":[],"mechanism":"Gossip Message Deadlock Stall","name":"gossip-message-deadlock-stall","provenance_note":"known-but-not-reproduced coverage gap (technique 'gossip-message-deadlock-stall')","status":"active"},{"display_name":"Gossip Message Quarantine Crash","external_references":[{"id":"GHPR-status-im-nimbus-eth2-8491","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0091","instances":[],"mechanism":"Gossip Message Quarantine Crash","name":"gossip-message-quarantine-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'gossip-message-quarantine-crash')","status":"active"},{"display_name":"Gossip Query Triggered DB Crash","external_references":[{"id":"GHPR-ElementsProject-lightning-8767","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-9029","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0092","instances":[],"mechanism":"Gossip Query Triggered DB Crash","name":"gossip-query-triggered-db-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'gossip-query-triggered-db-crash')","status":"active"},{"display_name":"Gossipsub Mcache Config Panic Crash","external_references":[{"id":"GHPR-libp2p-rust-libp2p-6095","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0093","instances":[],"mechanism":"Gossipsub Mcache Config Panic Crash","name":"gossipsub-mcache-config-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'gossipsub-mcache-config-panic-crash')","status":"active"},{"display_name":"Governance Proposal Panic Halt","external_references":[{"id":"GHSA-47ww-ff84-4jrg","kind":"ghsa","url":"https://github.com/advisories/GHSA-47ww-ff84-4jrg"},{"id":"GHSA-qr8r-m495-7hc4","kind":"ghsa","url":"https://github.com/advisories/GHSA-qr8r-m495-7hc4"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0094","instances":[],"mechanism":"Governance Proposal Panic Halt","name":"governance-proposal-panic-halt","provenance_note":"known-but-not-reproduced coverage gap (technique 'governance-proposal-panic-halt')","status":"active"},{"display_name":"GraphQL Alias Query Amplification","external_references":[{"id":"CVE-2023-42319","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42319"}],"family":"memory_amp","first_seen":"2023-01-01","id":"NRDAX-T0095","instances":[{"bundle_ref":"geth_graphql_aliased_logs_dos","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-v9jh-j8px-98vq","kind":"ghsa","url":"https://github.com/advisories/GHSA-v9jh-j8px-98vq"}],"fidelity":"lab","primitive_id":"geth_graphql_aliased_logs_dos"}],"mechanism":"CVE-2023-42319: geth <=1.13.4 --http --graphql; a query with N aliased logs(filter:{fromBlock:0}) ops -> unbounded per-alias full-chain scan -> memory blowup","name":"graphql-alias-query-amplification","provenance_note":"imported from nr_registry cluster 'graphql-alias-query-amplification'","status":"active"},{"display_name":"GraphQL Nested Query Depth CPU Exhaustion","external_references":[{"id":"GHSA-cgxm-vr2f-6fj8","kind":"ghsa","url":"https://github.com/advisories/GHSA-cgxm-vr2f-6fj8"},{"id":"GHPR-ethereum-go-ethereum-32344","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0096","instances":[],"mechanism":"GraphQL Nested Query Depth CPU Exhaustion","name":"graphql-nested-query-depth-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'graphql-nested-query-depth-cpu-exhaustion')","status":"active"},{"display_name":"gRPC/H2 Multiplexing OOM","external_references":[],"family":"memory_amp","first_seen":"2026-07-03","id":"NRDAX-T0097","instances":[{"bundle_ref":"iota_grpc_h2_multiplex_oom","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"iota-node-grpc-unbounded-http2-streams-oom","kind":"nr-brief","url":"https://nullrabbit.ai/research/iota-node-grpc-unbounded-http2-streams-oom"},{"id":"https://github.com/iotaledger/iota","kind":"vendor-advisory","url":"https://github.com/iotaledger/iota"}],"fidelity":"lab","primitive_id":"iota_grpc_h2_multiplex_oom"}],"mechanism":"NullRabbit measurement (gRPC/h2 multiplex DoS).","name":"grpc-h2-multiplexing-oom","provenance_note":"imported from nr_registry cluster 'grpc-h2-multiplexing-oom'","status":"active"},{"display_name":"Guest Module Memory Corruption","external_references":[{"id":"CVE-2023-26489","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26489"},{"id":"CVE-2024-38533","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38533"},{"id":"CVE-2026-34971","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34971"},{"id":"CVE-2026-34987","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34987"},{"id":"GHREL-near-nearcore-1.25.0-rc.1","kind":"vendor-advisory"},{"id":"RUSTSEC-2026-0191","kind":"vendor-advisory","url":"https://rustsec.org/advisories/RUSTSEC-2026-0191.html"}],"family":"supply-chain","first_seen":"2023-01-01","id":"NRDAX-T0098","instances":[],"mechanism":"Guest Module Memory Corruption","name":"guest-module-memory-corruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'guest-module-memory-corruption')","status":"active"},{"display_name":"Half-Open Handshake Slowloris","external_references":[],"family":"connection_exhaustion","first_seen":"2026-07-01","id":"NRDAX-T0099","instances":[{"bundle_ref":"ic_quic_halfopen_pin","chain":"ic","discovery_origin":"original-research","external_references":[{"id":"https://github.com/dfinity/ic — rs/p2p/quic_transport/src/connection_manager.rs: the accept loop spawns every inbound QUIC Initial into an UNBOUNDED `inbound_connecting` JoinSet with `EndpointConfig::default()` (no Retry / no address validation) and NO per-source-IP UDP pre-handshake budget (`max_simultaneous_connections_per_ip_address` is TCP-only). The mTLS NodeId allow-list is enforced only AFTER the per-connection quinn/rustls state is committed, so certificate trust does not mitigate the pre-handshake pin.","kind":"vendor-advisory","url":"https://github.com/dfinity/ic — rs/p2p/quic_transport/src/connection_manager.rs: the accept loop spawns every inbound QUIC Initial into an UNBOUNDED `inbound_connecting` JoinSet with `EndpointConfig::default()` (no Retry / no address validation) and NO per-source-IP UDP pre-handshake budget (`max_simultaneous_connections_per_ip_address` is TCP-only). The mTLS NodeId allow-list is enforced only AFTER the per-connection quinn/rustls state is committed, so certificate trust does not mitigate the pre-handshake pin."}],"fidelity":"lab","primitive_id":"ic_quic_halfopen_pin"},{"bundle_ref":"iota_http_tls_halfopen_plaintext_grpc","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"https://github.com/iotaledger/iota — iota-http/src/config.rs (NO tls_handshake_timeout field, NO max_pending_connections field) + iota-http/src/lib.rs:281-313 accept loop (tokio::spawn { tls_acceptor.accept(io).await } with no deadline, spawned into an unbounded JoinSet) + iota-network-stack/src/server.rs:76 ServerBuilder::new().allow_insecure(true) (validator gRPC accepts plaintext h2c). cf. Sui post-#26069 which added tls_handshake_timeout=Some(5s) + max_pending_connections=Some(4096) and removed allow_insecure.","kind":"vendor-advisory","url":"https://github.com/iotaledger/iota — iota-http/src/config.rs (NO tls_handshake_timeout field, NO max_pending_connections field) + iota-http/src/lib.rs:281-313 accept loop (tokio::spawn { tls_acceptor.accept(io).await } with no deadline, spawned into an unbounded JoinSet) + iota-network-stack/src/server.rs:76 ServerBuilder::new().allow_insecure(true) (validator gRPC accepts plaintext h2c). cf. Sui post-#26069 which added tls_handshake_timeout=Some(5s) + max_pending_connections=Some(4096) and removed allow_insecure."}],"fidelity":"lab","primitive_id":"iota_http_tls_halfopen_plaintext_grpc"},{"bundle_ref":"sol_tpu_quic_handshake_flood","chain":"solana","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://neodyme.io/reports/Firedancer-v0.4.pdf","kind":"vendor-advisory","url":"https://neodyme.io/reports/Firedancer-v0.4.pdf"}],"fidelity":"lab","primitive_id":"sol_tpu_quic_handshake_flood"},{"bundle_ref":"sol_tpu_quic_slowloris","chain":"solana","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://neodyme.io/reports/Firedancer-v0.4.pdf","kind":"vendor-advisory","url":"https://neodyme.io/reports/Firedancer-v0.4.pdf"}],"fidelity":"lab","primitive_id":"sol_tpu_quic_slowloris"},{"bundle_ref":"rippled_tls_slow_handshake","chain":"xrp","discovery_origin":"original-research","external_references":[{"id":"rippled-tls-handshake-slowloris-fd-exhaustion","kind":"nr-brief","url":"https://nullrabbit.ai/research/rippled-tls-handshake-slowloris-fd-exhaustion"},{"id":"https://github.com/XRPLF/rippled — inbound peer TLS listener OverlayImpl::onHandoff (boost::asio::ssl::stream::async_handshake, peer port 51235) + JSON-RPC HTTPS listener (port 5006): no handshake deadline (cf. outbound ConnectAttempt.cpp:153), no per-IP half-open cap (Resource::Consumer OverlayImpl.cpp:235 gates rate not count).","kind":"vendor-advisory","url":"https://github.com/XRPLF/rippled — inbound peer TLS listener OverlayImpl::onHandoff (boost::asio::ssl::stream::async_handshake, peer port 51235) + JSON-RPC HTTPS listener (port 5006): no handshake deadline (cf. outbound ConnectAttempt.cpp:153), no per-IP half-open cap (Resource::Consumer OverlayImpl.cpp:235 gates rate not count)."}],"fidelity":"lab","primitive_id":"rippled_tls_slow_handshake"}],"mechanism":"IC quic_transport half-open QUIC handshake memory pin (IC_QUIC_HALFOPEN_PIN): a burst of QUIC v1 Initial packets (distinct SCID each) whose CRYPTO frame declares a large TLS handshake length (4096) bu","name":"half-open-handshake-slowloris","provenance_note":"imported from nr_registry cluster 'half-open-handshake-slowloris'","status":"active"},{"display_name":"Handshake Crypto CPU Burn","external_references":[{"id":"CVE-2023-39533","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39533"},{"id":"CVE-2025-29606","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29606"}],"family":"connection_exhaustion","first_seen":"2023-01-01","id":"NRDAX-T0100","instances":[{"bundle_ref":"sol_tpu_quic_initial_cpu","chain":"solana","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://neodyme.io/reports/Firedancer.pdf","kind":"vendor-advisory","url":"https://neodyme.io/reports/Firedancer.pdf"}],"fidelity":"lab","primitive_id":"sol_tpu_quic_initial_cpu"}],"mechanism":"Neodyme ND-FD1-MD-02: QUIC INITIAL flood → per-handshake x25519 + ed25519 sign-tile CPU exhaustion (compute-bound, distinct from the connection-slot flood)","name":"handshake-crypto-cpu-burn","provenance_note":"imported from nr_registry cluster 'handshake-crypto-cpu-burn'","status":"active"},{"display_name":"Handshake Crypto Validation Bypass Crash","external_references":[],"family":"compute_amp","first_seen":"2026-07-07","id":"NRDAX-T0101","instances":[{"bundle_ref":"geth_auth_zero_pubkey","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2","kind":"ghsa","url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-q26p-9cq4-7fc2"}],"fidelity":"lab","primitive_id":"geth_auth_zero_pubkey"}],"mechanism":"CVE-2025-24883: RLPx auth with an all-zero (off-curve) EC pubkey — geth <1.14.13 skips the secp256k1 point-validity check → handshake crypto crash (fixed 159fb1a)","name":"handshake-crypto-validation-bypass-crash","provenance_note":"imported from nr_registry cluster 'handshake-crypto-validation-bypass-crash'","status":"active"},{"display_name":"Handshake Key Validation Info Leak","external_references":[{"id":"CVE-2026-26315","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26315"}],"family":"crypto","first_seen":"2026-01-01","id":"NRDAX-T0102","instances":[],"mechanism":"Handshake Key Validation Info Leak","name":"handshake-key-validation-info-leak","provenance_note":"known-but-not-reproduced coverage gap (technique 'handshake-key-validation-info-leak')","status":"active"},{"display_name":"Handshake Version String Crash","external_references":[{"id":"GHPR-XRPLF-clio-473","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.36.3","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.36.4","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0103","instances":[],"mechanism":"Handshake Version String Crash","name":"handshake-version-string-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'handshake-version-string-crash')","status":"active"},{"display_name":"Hash Collision Forgery","external_references":[{"id":"CVE-2026-32129","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32129"}],"family":"crypto","first_seen":"2026-01-01","id":"NRDAX-T0104","instances":[],"mechanism":"Hash Collision Forgery","name":"hash-collision-forgery","provenance_note":"known-but-not-reproduced coverage gap (technique 'hash-collision-forgery')","status":"active"},{"display_name":"Hash Function Overflow Misbehavior","external_references":[{"id":"GHPR-dogecoin-dogecoin-2315","kind":"vendor-advisory"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0105","instances":[],"mechanism":"Hash Function Overflow Misbehavior","name":"hash-function-overflow-misbehavior","provenance_note":"known-but-not-reproduced coverage gap (technique 'hash-function-overflow-misbehavior')","status":"active"},{"display_name":"Header-Length Preallocation OOM","external_references":[],"family":"memory_amp","first_seen":"2026-07-01","id":"NRDAX-T0106","instances":[{"bundle_ref":"btc_oversized_recv_buffer","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose_receive_buffer_oom/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose_receive_buffer_oom/"}],"fidelity":"lab","primitive_id":"btc_oversized_recv_buffer"},{"bundle_ref":"monero_portable_storage_oom","chain":"monero","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/monero-project/monero/pull/7190","kind":"vendor-advisory","url":"https://github.com/monero-project/monero/pull/7190"}],"fidelity":"lab","primitive_id":"monero_portable_storage_oom"},{"bundle_ref":"zcash_zebra_addr_vector_preallocation_amplification","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-xr93-pcq3-pxf8","kind":"ghsa","url":"https://github.com/advisories/GHSA-xr93-pcq3-pxf8"}],"fidelity":"lab","primitive_id":"zcash_zebra_addr_vector_preallocation_amplification"},{"bundle_ref":"zcash_zebra_coinbase_script_preallocation_amplification","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500"}],"fidelity":"lab","primitive_id":"zcash_zebra_coinbase_script_preallocation_amplification"},{"bundle_ref":"zcash_zebra_equihash_solution_preallocation_amplification","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500"}],"fidelity":"lab","primitive_id":"zcash_zebra_equihash_solution_preallocation_amplification"},{"bundle_ref":"zcash_zebra_headers_message_preallocation_amplification","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500"}],"fidelity":"lab","primitive_id":"zcash_zebra_headers_message_preallocation_amplification"}],"mechanism":"CVE-2015-3641: header length field pre-allocates the receive buffer before the body → per-connection OOM","name":"header-length-preallocation-oom","provenance_note":"imported from nr_registry cluster 'header-length-preallocation-oom'","status":"active"},{"display_name":"Headers Message Flood OOM","external_references":[{"id":"CVE-2019-25220","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-25220"},{"id":"CVE-2024-52916","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52916"},{"id":"GHPR-bitcoin-bitcoin-31649","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2019-01-01","id":"NRDAX-T0107","instances":[],"mechanism":"Headers Message Flood OOM","name":"headers-message-flood-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'headers-message-flood-oom')","status":"active"},{"display_name":"HTLC Replay Init Order Crash","external_references":[{"id":"GHPR-ElementsProject-lightning-8974","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0108","instances":[],"mechanism":"HTLC Replay Init Order Crash","name":"htlc-replay-init-order-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'htlc-replay-init-order-crash')","status":"active"},{"display_name":"HTTP API Connection Hang DoS","external_references":[{"id":"CVE-2017-15300","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-15300"},{"id":"CVE-2021-21369","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21369"},{"id":"GHPR-algorand-go-algorand-3326","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2017-01-01","id":"NRDAX-T0109","instances":[],"mechanism":"HTTP API Connection Hang DoS","name":"http-api-connection-hang-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'http-api-connection-hang-dos')","status":"active"},{"display_name":"HTTP Header Spoofing Trust Bypass","external_references":[{"id":"CVE-2020-28483","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28483"},{"id":"CVE-2026-49353","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49353"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0110","instances":[],"mechanism":"HTTP Header Spoofing Trust Bypass","name":"http-header-spoofing-trust-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'http-header-spoofing-trust-bypass')","status":"active"},{"display_name":"HTTP/2 Rapid Reset Memory Exhaustion","external_references":[{"id":"CVE-2023-26964","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26964"}],"family":"network-p2p","first_seen":"2023-01-01","id":"NRDAX-T0111","instances":[{"bundle_ref":"http2_madeyoureset_flood","chain":"http2","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"http2_madeyoureset_flood"}],"mechanism":"HTTP/2 Rapid Reset Memory Exhaustion","name":"http2-rapid-reset-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'http2-rapid-reset-memory-exhaustion')","status":"active"},{"display_name":"HTTP/2 Rapid Reset Stream Exhaustion","external_references":[{"id":"CVE-2023-39325","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39325"},{"id":"CVE-2023-40167","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40167"},{"id":"CVE-2023-44487","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44487"}],"family":"memory_amp","first_seen":"2023-01-01","id":"NRDAX-T0112","instances":[{"bundle_ref":"substrate_h2_rapid_reset","chain":"polkadot","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2023-26964 (RUSTSEC-2023-0034 / GHSA-f8vr-r385-rh5r) — https://nvd.nist.gov/vuln/detail/CVE-2023-26964, https://rustsec.org/advisories/RUSTSEC-2023-0034.html . HTTP/2 Rapid Reset (CVE-2023-44487 class) resource-exhaustion DoS in the Rust h2 crate < 0.3.17: a flood of HEADERS/RST_STREAM frames grows the pending-accept-reset stream queue unbounded in memory -> OOM. CVSS 3.1 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), CWE-770. Consumed by substrate/polkadot via hyper on the RPC & prometheus HTTP servers; bumped 0.3.16 -> 0.3.17 in paritytech/substrate#13915 (https://github.com/paritytech/substrate/pull/13915). Fix: hyperium/h2#668 (https://github.com/hyperium/h2/pull/668) adds max_pending_accept_reset_streams + GOAWAY(ENHANCE_YOUR_CALM).","kind":"cve"}],"fidelity":"lab","primitive_id":"substrate_h2_rapid_reset"},{"bundle_ref":"walrus_http2_rapid_reset","chain":"walrus","discovery_origin":"original-research","external_references":[{"id":"MystenLabs/walrus crates/walrus-service/src/node/config.rs:1800 http2_max_pending_accept_reset_streams=u32::MAX (compile-time default) → crates/walrus-service/src/node/server.rs:300 axum-server 0.8 HTTP/2 builder (h2 crate); disables the post-CVE-2023-44487 pending-accept-reset accounting limit. CVE-2023-44487 HTTP/2 Rapid Reset class; walrus-node 1.48.1 (axum-server 0.8 / h2 0.4 / rustls 0.23).","kind":"cve"}],"fidelity":"lab","primitive_id":"walrus_http2_rapid_reset"}],"mechanism":"CVE-2023-26964 (RUSTSEC-2023-0034): the Rust h2 crate < 0.3.17 does not release stream memory immediately on RST_STREAM and — pre-0.3.17 — has NO bound on streams in the pending-accept-but-remotely-re","name":"http2-rapid-reset-stream-exhaustion","provenance_note":"imported from nr_registry cluster 'http2-rapid-reset-stream-exhaustion'","status":"active"},{"display_name":"IBC Timeout Callback Reentrancy","external_references":[{"id":"GHSA-j496-crgh-34mx","kind":"ghsa","url":"https://github.com/advisories/GHSA-j496-crgh-34mx"}],"family":"bridge","first_seen":"2020-01-01","id":"NRDAX-T0113","instances":[],"mechanism":"IBC Timeout Callback Reentrancy","name":"ibc-timeout-callback-reentrancy","provenance_note":"known-but-not-reproduced coverage gap (technique 'ibc-timeout-callback-reentrancy')","status":"active"},{"display_name":"ICMP PMTUD Injection Disruption","external_references":[{"id":"CVE-2024-53259","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-53259"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0114","instances":[],"mechanism":"ICMP PMTUD Injection Disruption","name":"icmp-pmtud-injection-disruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'icmp-pmtud-injection-disruption')","status":"active"},{"display_name":"Implementation Divergence Chain Split","external_references":[{"id":"CVE-2020-26241","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26241"},{"id":"CVE-2020-26265","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26265"},{"id":"GHSA-3jg6-49c6-q99v","kind":"ghsa","url":"https://github.com/advisories/GHSA-3jg6-49c6-q99v"},{"id":"GHSA-cwfq-rfcr-8hmp","kind":"ghsa","url":"https://github.com/advisories/GHSA-cwfq-rfcr-8hmp"},{"id":"GHSA-pvmv-cwg8-v6c8","kind":"ghsa","url":"https://github.com/advisories/GHSA-pvmv-cwg8-v6c8"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0115","instances":[],"mechanism":"Implementation Divergence Chain Split","name":"implementation-divergence-chain-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'implementation-divergence-chain-split')","status":"active"},{"display_name":"Incomplete Packet Timer Overflow CPU Burn","external_references":[{"id":"CVE-2022-30591","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-30591"}],"family":"network-p2p","first_seen":"2022-01-01","id":"NRDAX-T0116","instances":[],"mechanism":"Incomplete Packet Timer Overflow CPU Burn","name":"incomplete-packet-timer-overflow-cpu-burn","provenance_note":"known-but-not-reproduced coverage gap (technique 'incomplete-packet-timer-overflow-cpu-burn')","status":"active"},{"display_name":"Index Out-Of-Bounds Panic Crash","external_references":[{"id":"GHPR-cosmos-cosmos-sdk-26515","kind":"vendor-advisory"},{"id":"GHPR-cosmos-cosmos-sdk-26517","kind":"vendor-advisory"},{"id":"GHPR-cosmos-cosmos-sdk-26573","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0117","instances":[],"mechanism":"Index Out-Of-Bounds Panic Crash","name":"index-oob-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'index-oob-panic-crash')","status":"active"},{"display_name":"Integer Overflow Consensus Split","external_references":[{"id":"CVE-2022-29219","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29219"},{"id":"CVE-2022-36025","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-36025"},{"id":"GHSA-p22h-3m2v-cmgh","kind":"ghsa","url":"https://github.com/advisories/GHSA-p22h-3m2v-cmgh"},{"id":"GHPR-Consensys-teku-10452","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2022-01-01","id":"NRDAX-T0118","instances":[],"mechanism":"Integer Overflow Consensus Split","name":"integer-overflow-consensus-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'integer-overflow-consensus-split')","status":"active"},{"display_name":"Integer Overflow Decompression Infinite Loop","external_references":[{"id":"CVE-2025-29072","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29072"}],"family":"network-rpc","first_seen":"2025-01-01","id":"NRDAX-T0119","instances":[],"mechanism":"Integer Overflow Decompression Infinite Loop","name":"integer-overflow-decompression-infinite-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'integer-overflow-decompression-infinite-loop')","status":"active"},{"display_name":"Integer-Overflow Panic Control Message","external_references":[{"id":"CVE-2018-12018","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12018"},{"id":"CVE-2025-46597","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46597"},{"id":"CVE-2026-31814","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31814"},{"id":"CVE-2026-32179","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32179"},{"id":"CVE-2026-33040","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33040"},{"id":"CVE-2026-34219","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34219"},{"id":"GHPR-Conflux-Chain-conflux-rust-3504","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3532","kind":"vendor-advisory"},{"id":"GHPR-aws-s2n-quic-2995","kind":"vendor-advisory"},{"id":"GHPR-aws-s2n-quic-2996","kind":"vendor-advisory"},{"id":"GHPR-aws-s2n-quic-3067","kind":"vendor-advisory"},{"id":"GHPR-grandinetech-grandine-356","kind":"vendor-advisory"},{"id":"GHPR-libp2p-rust-libp2p-6467","kind":"vendor-advisory"},{"id":"GHPR-near-nearcore-15921","kind":"vendor-advisory"}],"family":"gossip_abuse","first_seen":"2018-01-01","id":"NRDAX-T0120","instances":[{"bundle_ref":"gossipsub_prune_backoff_overflow","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5","kind":"ghsa","url":"https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5"}],"fidelity":"lab","primitive_id":"gossipsub_prune_backoff_overflow"}],"mechanism":"CVE-2026-34219 (+CVE-2026-33040): gossipsub ControlPrune backoff≈u64::MAX → Instant/Duration overflow panic","name":"integer-overflow-panic-control-message","provenance_note":"imported from nr_registry cluster 'integer-overflow-panic-control-message'","status":"active"},{"display_name":"Integer Overflow Parsing Crash","external_references":[{"id":"GHSA-82vg-5v4f-f9wq","kind":"ghsa","url":"https://github.com/advisories/GHSA-82vg-5v4f-f9wq"},{"id":"GHPR-btcsuite-btcd-2374","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0121","instances":[],"mechanism":"Integer Overflow Parsing Crash","name":"integer-overflow-parsing-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'integer-overflow-parsing-crash')","status":"active"},{"display_name":"Integer Signedness Index OOB Crash","external_references":[{"id":"GHPR-scroll-tech-go-ethereum-1195","kind":"vendor-advisory"}],"family":"compute_amp","first_seen":"2026-07-07","id":"NRDAX-T0122","instances":[{"bundle_ref":"cosmos_gogoproto_skippy","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://osv.dev/vulnerability/CVE-2021-3121","kind":"cve","url":"https://osv.dev/vulnerability/CVE-2021-3121"}],"fidelity":"lab","primitive_id":"cosmos_gogoproto_skippy"},{"bundle_ref":"geth_les_skip_negative","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://peckshield.medium.com/epod-ethereum-packet-of-death-cve-2018-12018-fc9ee944843e","kind":"cve","url":"https://peckshield.medium.com/epod-ethereum-packet-of-death-cve-2018-12018-fc9ee944843e"}],"fidelity":"lab","primitive_id":"geth_les_skip_negative"}],"mechanism":"CVE-2021-3121 (gogoproto 'skippy peanut butter'): unknown length-delimited field with a negative-length varint → pre-1.3.2 skip code does iNdEx+=length with no length<0 check → index out of bounds → p","name":"integer-signedness-index-oob-crash","provenance_note":"imported from nr_registry cluster 'integer-signedness-index-oob-crash'","status":"active"},{"display_name":"Interlink Mismatch Consensus Failure","external_references":[{"id":"CVE-2026-34061","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34061"}],"family":"consensus","first_seen":"2026-01-01","id":"NRDAX-T0123","instances":[],"mechanism":"Interlink Mismatch Consensus Failure","name":"interlink-mismatch-consensus-failure","provenance_note":"known-but-not-reproduced coverage gap (technique 'interlink-mismatch-consensus-failure')","status":"active"},{"display_name":"INV Flood GetHeaders Amplification","external_references":[],"family":"memory_amp","first_seen":"2026-07-01","id":"NRDAX-T0124","instances":[{"bundle_ref":"btc_inv_buffer_blowup","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose-inv-buffer-blowup/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose-inv-buffer-blowup/"}],"fidelity":"lab","primitive_id":"btc_inv_buffer_blowup"}],"mechanism":"CVE-2024-52915: INV with 50k items → 50k getheaders replies / send-buffer blowup","name":"inv-flood-getheaders-amplification","provenance_note":"imported from nr_registry cluster 'inv-flood-getheaders-amplification'","status":"active"},{"display_name":"Inv Message Flood OOM","external_references":[{"id":"CVE-2018-12356","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-12356"},{"id":"CVE-2018-17145","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17145"},{"id":"CVE-2024-52915","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52915"}],"family":"network-p2p","first_seen":"2018-01-01","id":"NRDAX-T0125","instances":[],"mechanism":"Inv Message Flood OOM","name":"inv-message-flood-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'inv-message-flood-oom')","status":"active"},{"display_name":"Inv Queue Draining CPU DoS","external_references":[{"id":"CVE-2023-33297","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33297"}],"family":"network-p2p","first_seen":"2023-01-01","id":"NRDAX-T0126","instances":[],"mechanism":"Inv Queue Draining CPU DoS","name":"inv-queue-draining-cpu-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'inv-queue-draining-cpu-dos')","status":"active"},{"display_name":"Invalid Address Nil-Pointer Crash","external_references":[{"id":"GHPR-algorand-go-algorand-6654","kind":"vendor-advisory"},{"id":"GHPR-ethereum-go-ethereum-34878","kind":"vendor-advisory"},{"id":"GHPR-ethereum-go-ethereum-35140","kind":"vendor-advisory"},{"id":"GHPR-firedancer-io-firedancer-10214","kind":"vendor-advisory"},{"id":"GHPR-libp2p-go-libp2p-2752","kind":"vendor-advisory"},{"id":"GHPR-libp2p-go-libp2p-3395","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-mainnet-v1.27.4","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0127","instances":[],"mechanism":"Invalid Address Nil-Pointer Crash","name":"invalid-address-nil-pointer-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'invalid-address-nil-pointer-crash')","status":"active"},{"display_name":"Invalid Commit Signature Halt","external_references":[{"id":"CVE-2020-15091","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15091"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0128","instances":[],"mechanism":"Invalid Commit Signature Halt","name":"invalid-commit-signature-halt","provenance_note":"known-but-not-reproduced coverage gap (technique 'invalid-commit-signature-halt')","status":"active"},{"display_name":"Invalid Curve Point Panic","external_references":[],"family":"compute_amp","first_seen":"2026-07-07","id":"NRDAX-T0129","instances":[{"bundle_ref":"zcash_zebra_orchard_rk_identity_verify_panic","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-452v-w3gx-72wg","kind":"ghsa","url":"https://github.com/advisories/GHSA-452v-w3gx-72wg"}],"fidelity":"lab","primitive_id":"zcash_zebra_orchard_rk_identity_verify_panic"},{"bundle_ref":"zcash_zebra_v5_orchard_rk_noncanonical_txid_panic","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2026-34202","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34202"}],"fidelity":"lab","primitive_id":"zcash_zebra_v5_orchard_rk_noncanonical_txid_panic"}],"mechanism":"CVE-2026-41584 (GHSA-452v-w3gx-72wg): a V5/NU5 tx whose Orchard action rk is the IDENTITY point [0x00;32] — a canonical point the spec allows, so it passes parse + hash() — but Orchard proof verificat","name":"invalid-curve-point-panic","provenance_note":"imported from nr_registry cluster 'invalid-curve-point-panic'","status":"active"},{"display_name":"Invalid Finality Signature Bypass","external_references":[{"id":"CVE-2025-24800","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24800"}],"family":"bridge","first_seen":"2025-01-01","id":"NRDAX-T0130","instances":[],"mechanism":"Invalid Finality Signature Bypass","name":"invalid-finality-signature-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'invalid-finality-signature-bypass')","status":"active"},{"display_name":"Invalid Message Log Flood","external_references":[],"family":"memory_amp","first_seen":"2026-07-01","id":"NRDAX-T0131","instances":[{"bundle_ref":"btc_invalid_block_logfill","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54605/","kind":"cve","url":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54605/"}],"fidelity":"lab","primitive_id":"btc_invalid_block_logfill"},{"bundle_ref":"btc_version_selfnonce","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54604/","kind":"cve","url":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-54604/"}],"fidelity":"lab","primitive_id":"btc_version_selfnonce"}],"mechanism":"CVE-2025-54605: flood of PoW-invalid blocks logged unconditionally → log/disk fill","name":"invalid-message-log-flood","provenance_note":"imported from nr_registry cluster 'invalid-message-log-flood'","status":"active"},{"display_name":"Invariant Check Spam CPU Exhaustion","external_references":[{"id":"GHSA-w5w5-2882-47pc","kind":"ghsa","url":"https://github.com/advisories/GHSA-w5w5-2882-47pc"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0132","instances":[],"mechanism":"Invariant Check Spam CPU Exhaustion","name":"invariant-check-spam-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'invariant-check-spam-cpu-exhaustion')","status":"active"},{"display_name":"Iterator Length Mismatch Panic","external_references":[{"id":"GHPR-anza-xyz-agave-13697","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0133","instances":[],"mechanism":"Iterator Length Mismatch Panic","name":"iterator-length-mismatch-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'iterator-length-mismatch-panic')","status":"active"},{"display_name":"JSON Deserialization RCE","external_references":[{"id":"GHPR-tronprotocol-java-tron-6701","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0134","instances":[],"mechanism":"JSON Deserialization RCE","name":"json-deserialization-rce","provenance_note":"known-but-not-reproduced coverage gap (technique 'json-deserialization-rce')","status":"active"},{"display_name":"L1 Finality Assumption Reorg","external_references":[{"id":"CVE-2025-48886","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48886"}],"family":"consensus","first_seen":"2025-01-01","id":"NRDAX-T0135","instances":[],"mechanism":"L1 Finality Assumption Reorg","name":"l1-finality-assumption-reorg","provenance_note":"known-but-not-reproduced coverage gap (technique 'l1-finality-assumption-reorg')","status":"active"},{"display_name":"Large Trie Commit Batch Panic Crash","external_references":[{"id":"GHPR-OffchainLabs-go-ethereum-452","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0136","instances":[],"mechanism":"Large Trie Commit Batch Panic Crash","name":"large-trie-commit-batch-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'large-trie-commit-batch-panic-crash')","status":"active"},{"display_name":"Latent Consensus Decision Panic","external_references":[{"id":"GHPR-starkware-libs-sequencer-14605","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0137","instances":[],"mechanism":"Latent Consensus Decision Panic","name":"latent-consensus-decision-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'latent-consensus-decision-panic')","status":"active"},{"display_name":"Leader Election Manipulation Panic","external_references":[{"id":"GHPR-MystenLabs-mysticeti-56","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0138","instances":[],"mechanism":"Leader Election Manipulation Panic","name":"leader-election-manipulation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'leader-election-manipulation-panic')","status":"active"},{"display_name":"Legacy Sighash Quadratic CPU Blowup","external_references":[],"family":"compute_amp","first_seen":"2026-07-01","id":"NRDAX-T0139","instances":[{"bundle_ref":"btc_tx_quad_sighash","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46598/","kind":"cve","url":"https://bitcoincore.org/en/2025/10/24/disclose-cve-2025-46598/"}],"fidelity":"lab","primitive_id":"btc_tx_quad_sighash"}],"mechanism":"CVE-2025-46598: non-standard tx with many legacy-sighash inputs → quadratic validation CPU, no peer penalty","name":"legacy-sighash-quadratic-cpu-blowup","provenance_note":"imported from nr_registry cluster 'legacy-sighash-quadratic-cpu-blowup'","status":"active"},{"display_name":"Log Injection RCE","external_references":[{"id":"CVE-2021-44228","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-44228"}],"family":"supply-chain","first_seen":"2021-01-01","id":"NRDAX-T0140","instances":[],"mechanism":"Log Injection RCE","name":"log-injection-rce","provenance_note":"known-but-not-reproduced coverage gap (technique 'log-injection-rce')","status":"active"},{"display_name":"Low-Fee Transaction Spam Flood","external_references":[{"id":"CVE-2019-11636","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11636"}],"family":"ledger-tx","first_seen":"2019-01-01","id":"NRDAX-T0141","instances":[],"mechanism":"Low-Fee Transaction Spam Flood","name":"low-fee-tx-spam-flood","provenance_note":"known-but-not-reproduced coverage gap (technique 'low-fee-tx-spam-flood')","status":"active"},{"display_name":"Malformed Bytecode Index Panic","external_references":[{"id":"GHPR-move-language-move-751","kind":"vendor-advisory"}],"family":"rpc_handler_cpu","first_seen":"2026-07-02","id":"NRDAX-T0142","instances":[{"bundle_ref":"sui_disassemble_panic","chain":"sui","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://medium.com/certik-skyfall/blockchain-rpc-vulnerabilities-why-memory-safe-blockchain-rpc-nodes-are-not-panic-free-9fbb990115e0","kind":"vendor-advisory","url":"https://medium.com/certik-skyfall/blockchain-rpc-vulnerabilities-why-memory-safe-blockchain-rpc-nodes-are-not-panic-free-9fbb990115e0"}],"fidelity":"lab","primitive_id":"sui_disassemble_panic"}],"mechanism":"CertiK Skyfall: Publish RPC disassembles a malformed Move module (empty code_unit) → index panic → RPC crash","name":"malformed-bytecode-index-panic","provenance_note":"imported from nr_registry cluster 'malformed-bytecode-index-panic'","status":"active"},{"display_name":"Malformed Field Gossip Before Validation","external_references":[],"family":"consensus_abuse","first_seen":"2026-07-07","id":"NRDAX-T0143","instances":[{"bundle_ref":"cometbft_bitarray_mismatch","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/cometbft/cometbft/security/advisories/GHSA-hrhf-2vcr-ghch","kind":"ghsa","url":"https://github.com/cometbft/cometbft/security/advisories/GHSA-hrhf-2vcr-ghch"}],"fidelity":"lab","primitive_id":"cometbft_bitarray_mismatch"},{"bundle_ref":"cometbft_blockpart_mismatch","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-r3r4-g7hq-pq4f","kind":"ghsa","url":"https://github.com/advisories/GHSA-r3r4-g7hq-pq4f"}],"fidelity":"lab","primitive_id":"cometbft_blockpart_mismatch"}],"mechanism":"GHSA-hrhf-2vcr-ghch (ASA-2025-003): a BitArray whose declared Bits does not match its Elems count (len(Elems) != ceil(Bits/64)) is processed in an invalid state and gossiped to peers before validation","name":"malformed-field-gossip-before-validation","provenance_note":"imported from nr_registry cluster 'malformed-field-gossip-before-validation'","status":"active"},{"display_name":"Malformed GETDATA Infinite Loop","external_references":[{"id":"CVE-2024-52920","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52920"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0144","instances":[],"mechanism":"Malformed GETDATA Infinite Loop","name":"malformed-getdata-infinite-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-getdata-infinite-loop')","status":"active"},{"display_name":"Malformed HTTP Body Crash","external_references":[],"family":"connection_exhaustion","first_seen":"2026-07-09","id":"NRDAX-T0145","instances":[{"bundle_ref":"zebra_rpc_premature_disconnect_crash","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2026-41585 / GHSA-29x4-r6jv-ff4w https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w (Zebra JSON-RPC HTTP middleware: DoS via interrupted/truncated request body from an authenticated client)","kind":"cve"}],"fidelity":"lab","primitive_id":"zebra_rpc_premature_disconnect_crash"}],"mechanism":"CVE-2026-41585 (GHSA-29x4-r6jv-ff4w): Zebra's JSON-RPC HTTP middleware treated a failure to read the incoming HTTP request body as an unrecoverable error, aborting the process instead of returning an ","name":"malformed-http-body-crash","provenance_note":"imported from nr_registry cluster 'malformed-http-body-crash'","status":"active"},{"display_name":"Malformed HTTP Header Parsing Crash","external_references":[{"id":"GHPR-stellar-stellar-core-5149","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0146","instances":[],"mechanism":"Malformed HTTP Header Parsing Crash","name":"malformed-http-header-parsing-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-http-header-parsing-crash')","status":"active"},{"display_name":"Malformed HTTP/3 Frame Crash","external_references":[{"id":"GHPR-cloudflare-quiche-814","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0147","instances":[],"mechanism":"Malformed HTTP/3 Frame Crash","name":"malformed-http3-frame-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-http3-frame-crash')","status":"active"},{"display_name":"Malformed KZG Proof Mismatch DoS","external_references":[],"family":"compute_amp","first_seen":"2026-07-07","id":"NRDAX-T0148","instances":[{"bundle_ref":"geth_blob_kzg_dos","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg","kind":"ghsa","url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-mq3p-rrmp-79jg"}],"fidelity":"lab","primitive_id":"geth_blob_kzg_dos"}],"mechanism":"CVE-2026-22868 (CVSS 7.5): a batch of EIP-4844 type-3 blob txs announced then delivered (PooledTransactions) with structurally-valid KZG sidecars whose commitment/proof (over blob A) mismatch the carr","name":"malformed-kzg-proof-mismatch-dos","provenance_note":"imported from nr_registry cluster 'malformed-kzg-proof-mismatch-dos'","status":"active"},{"display_name":"Malformed Protocol Message Crash","external_references":[{"id":"CVE-2020-14198","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-14198"},{"id":"CVE-2020-26264","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26264"},{"id":"CVE-2021-41173","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41173"},{"id":"CVE-2021-43668","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-43668"},{"id":"CVE-2023-42805","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42805"},{"id":"CVE-2023-46239","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46239"},{"id":"CVE-2024-35202","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35202"},{"id":"CVE-2024-45311","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45311"},{"id":"CVE-2025-24883","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24883"},{"id":"CVE-2026-22862","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22862"},{"id":"CVE-2026-26314","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26314"},{"id":"CVE-2026-32314","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32314"},{"id":"CVE-2026-32605","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32605"},{"id":"CVE-2026-40092","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40092"},{"id":"CVE-2026-52829","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52829"},{"id":"GHSA-6fgm-x6ff-w78f","kind":"ghsa","url":"https://github.com/advisories/GHSA-6fgm-x6ff-w78f"},{"id":"GHSA-hg58-rf2h-6rr7","kind":"ghsa","url":"https://github.com/advisories/GHSA-hg58-rf2h-6rr7"},{"id":"GHSA-hrhf-2vcr-ghch","kind":"ghsa","url":"https://github.com/advisories/GHSA-hrhf-2vcr-ghch"},{"id":"GHSA-m6gx-rhvj-fh52","kind":"ghsa","url":"https://github.com/advisories/GHSA-m6gx-rhvj-fh52"},{"id":"GHSA-p7mv-53f2-4cwj","kind":"ghsa","url":"https://github.com/advisories/GHSA-p7mv-53f2-4cwj"},{"id":"GHPR-ACINQ-eclair-1385","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3497","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3498","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3503","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3508","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3509","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3523","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3535","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-8817","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-8864","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-8889","kind":"vendor-advisory"},{"id":"GHPR-IntersectMBO-cardano-ledger-5757","kind":"vendor-advisory"},{"id":"GHPR-XRPLF-clio-994","kind":"vendor-advisory"},{"id":"GHPR-aws-s2n-quic-3141","kind":"vendor-advisory"},{"id":"GHPR-cosmos-ethermint-673","kind":"vendor-advisory"},{"id":"GHPR-cosmos-ibc-go-4741","kind":"vendor-advisory"},{"id":"GHPR-erigontech-erigon-21560","kind":"vendor-advisory"},{"id":"GHPR-filecoin-project-go-f3-551","kind":"vendor-advisory"},{"id":"GHPR-filecoin-project-venus-6125","kind":"vendor-advisory"},{"id":"GHPR-libp2p-rust-libp2p-6002","kind":"vendor-advisory"},{"id":"GHPR-paritytech-polkadot-sdk-12017","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v0.6.0","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v3.0.3-fix","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v3.0.3-testnet-fix","kind":"vendor-advisory"},{"id":"GHREL-firedancer-io-firedancer-v0.111.20005","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.18.1.0","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.18.4.0","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.18.5.1","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.16.1","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.19.1","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.20.0-rc.2","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.36.2","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-2.10.2","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-2.10.4","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-2.10.6","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-2.10.7","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-2.11.1","kind":"vendor-advisory"},{"id":"GHREL-paritytech-polkadot-sdk-polkadot-v1.14.1","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.10","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.18","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.22","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.8","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.4","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.2.3","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0149","instances":[],"mechanism":"Malformed Protocol Message Crash","name":"malformed-protocol-message-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-protocol-message-crash')","status":"active"},{"display_name":"Malformed SOCKS Response Infinite Loop","external_references":[{"id":"CVE-2013-10005","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2013-10005"}],"family":"network-p2p","first_seen":"2013-01-01","id":"NRDAX-T0150","instances":[],"mechanism":"Malformed SOCKS Response Infinite Loop","name":"malformed-socks-response-infinite-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-socks-response-infinite-loop')","status":"active"},{"display_name":"Malformed Transaction Field Panic","external_references":[{"id":"CVE-2026-34202","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34202"},{"id":"CVE-2026-41584","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41584"},{"id":"GHSA-2gw2-qgjg-xh6p","kind":"ghsa","url":"https://github.com/advisories/GHSA-2gw2-qgjg-xh6p"},{"id":"GHPR-MystenLabs-sui-27191","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-mainnet-v1.72.4","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-testnet-v1.68.0","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-testnet-v1.68.1","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.20","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.8","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2026-01-01","id":"NRDAX-T0151","instances":[],"mechanism":"Malformed Transaction Field Panic","name":"malformed-tx-field-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-tx-field-panic')","status":"active"},{"display_name":"Malformed UPnP Response Infinite Loop","external_references":[{"id":"CVE-2024-52917","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52917"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0152","instances":[],"mechanism":"Malformed UPnP Response Infinite Loop","name":"malformed-upnp-response-infinite-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'malformed-upnp-response-infinite-loop')","status":"active"},{"display_name":"Mempool Computational Complexity DoS","external_references":[{"id":"GHSA-f8qm-hmm3-fv7f","kind":"ghsa","url":"https://github.com/advisories/GHSA-f8qm-hmm3-fv7f"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0153","instances":[],"mechanism":"Mempool Computational Complexity DoS","name":"mempool-computational-complexity-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'mempool-computational-complexity-dos')","status":"active"},{"display_name":"Mempool Deadlock DoS","external_references":[{"id":"GHREL-IntersectMBO-cardano-node-10.6.2","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0154","instances":[],"mechanism":"Mempool Deadlock DoS","name":"mempool-deadlock-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'mempool-deadlock-dos')","status":"active"},{"display_name":"Mempool Flood Eviction","external_references":[{"id":"CVE-2022-23327","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23327"},{"id":"CVE-2022-23328","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23328"},{"id":"CVE-2024-55563","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55563"},{"id":"GHREL-IntersectMBO-cardano-node-10.1.4","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2022-01-01","id":"NRDAX-T0155","instances":[],"mechanism":"Mempool Flood Eviction","name":"mempool-flood-eviction","provenance_note":"known-but-not-reproduced coverage gap (technique 'mempool-flood-eviction')","status":"active"},{"display_name":"Mempool Pending Eviction Flood","external_references":[],"family":"memory_amp","first_seen":"2026-07-07","id":"NRDAX-T0156","instances":[{"bundle_ref":"geth_mempool_spend_all_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2022-23328","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23328"}],"fidelity":"lab","primitive_id":"geth_mempool_spend_all_flood"},{"bundle_ref":"geth_tx_future_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-pvx3-gm3c-gmpr","kind":"ghsa","url":"https://github.com/advisories/GHSA-pvx3-gm3c-gmpr"}],"fidelity":"lab","primitive_id":"geth_tx_future_flood"}],"mechanism":"CVE-2022-23328 (go-ethereum, CVSS 7.5, all versions <1.10.13): an attacker node sends 5120 PENDING high-gas-price txns from ONE account that each fully spend the account's FULL BALANCE, in one eth Tra","name":"mempool-pending-eviction-flood","provenance_note":"imported from nr_registry cluster 'mempool-pending-eviction-flood'","status":"active"},{"display_name":"Mempool Sender Spoofing Resource Exhaustion","external_references":[{"id":"GHPR-Conflux-Chain-conflux-rust-3493","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0157","instances":[],"mechanism":"Mempool Sender Spoofing Resource Exhaustion","name":"mempool-sender-spoofing-resource-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'mempool-sender-spoofing-resource-exhaustion')","status":"active"},{"display_name":"Merkle Proof Forgery","external_references":[{"id":"CVE-2017-12842","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12842"}],"family":"crypto","first_seen":"2017-01-01","id":"NRDAX-T0158","instances":[],"mechanism":"Merkle Proof Forgery","name":"merkle-proof-forgery","provenance_note":"known-but-not-reproduced coverage gap (technique 'merkle-proof-forgery')","status":"active"},{"display_name":"Merkle Trie Memory Leak","external_references":[{"id":"GHREL-algorand-go-algorand-v2.0.9-stable","kind":"vendor-advisory"},{"id":"GHREL-algorand-go-algorand-v2.1.1-beta","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0159","instances":[],"mechanism":"Merkle Trie Memory Leak","name":"merkle-trie-memory-leak","provenance_note":"known-but-not-reproduced coverage gap (technique 'merkle-trie-memory-leak')","status":"active"},{"display_name":"Message Field Integer Overflow OOM","external_references":[{"id":"CVE-2024-32972","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32972"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0160","instances":[],"mechanism":"Message Field Integer Overflow OOM","name":"message-field-integer-overflow-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'message-field-integer-overflow-oom')","status":"active"},{"display_name":"Metric Collection Panic Crash","external_references":[{"id":"GHPR-libp2p-rust-libp2p-6158","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0161","instances":[],"mechanism":"Metric Collection Panic Crash","name":"metric-collection-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'metric-collection-panic-crash')","status":"active"},{"display_name":"Metrics Endpoint Resource Exhaustion","external_references":[{"id":"GHPR-IntersectMBO-cardano-node-6396","kind":"vendor-advisory"},{"id":"GHREL-firedancer-io-firedancer-v0.106.11814","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0162","instances":[],"mechanism":"Metrics Endpoint Resource Exhaustion","name":"metrics-endpoint-resource-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'metrics-endpoint-resource-exhaustion')","status":"active"},{"display_name":"Mining Pool Auth Bypass","external_references":[{"id":"CVE-2018-10831","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-10831"}],"family":"crypto","first_seen":"2018-01-01","id":"NRDAX-T0163","instances":[],"mechanism":"Mining Pool Auth Bypass","name":"mining-pool-auth-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'mining-pool-auth-bypass')","status":"active"},{"display_name":"Missing Crypto Provider Panic Crash","external_references":[{"id":"GHPR-paritytech-polkadot-sdk-11253","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0164","instances":[],"mechanism":"Missing Crypto Provider Panic Crash","name":"missing-crypto-provider-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'missing-crypto-provider-panic-crash')","status":"active"},{"display_name":"Missing Zero-Guard Divide-By-Zero Halt","external_references":[{"id":"GHSA-x5vx-95h7-rv4p","kind":"ghsa","url":"https://github.com/advisories/GHSA-x5vx-95h7-rv4p"}],"family":"consensus_abuse","first_seen":"2026-07-07","id":"NRDAX-T0165","instances":[{"bundle_ref":"cosmos_group_divzero_halt","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p","kind":"ghsa","url":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-x5vx-95h7-rv4p"}],"fidelity":"lab","primitive_id":"cosmos_group_divzero_halt"}],"mechanism":"GHSA-x5vx-95h7-rv4p (cosmos-sdk <=0.47.15/<=0.50.11): x/group PercentageDecisionPolicy.Allow does yesCount.Quo(totalPower) with no totalPower==0 guard; a proposal on a group whose weight is driven to ","name":"missing-zero-guard-divide-by-zero-halt","provenance_note":"imported from nr_registry cluster 'missing-zero-guard-divide-by-zero-halt'","status":"active"},{"display_name":"Move Verifier Fixpoint CPU Exhaustion","external_references":[],"family":"compute_amp","first_seen":"2026-07-02","id":"NRDAX-T0166","instances":[{"bundle_ref":"sui_verifier_hamsterwheel","chain":"sui","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://medium.com/certik-skyfall/the-hamsterwheel-an-in-depth-exploration-of-a-novel-attack-vector-on-the-sui-blockchain-522f80623bc7","kind":"vendor-advisory","url":"https://medium.com/certik-skyfall/the-hamsterwheel-an-in-depth-exploration-of-a-novel-attack-vector-on-the-sui-blockchain-522f80623bc7"}],"fidelity":"lab","primitive_id":"sui_verifier_hamsterwheel"}],"mechanism":"CertiK Skyfall HamsterWheel: crafted-CFG Move module defeats id_leak_verifier fixpoint → infinite re-analysis → CPU halt","name":"move-verifier-fixpoint-cpu-exhaustion","provenance_note":"imported from nr_registry cluster 'move-verifier-fixpoint-cpu-exhaustion'","status":"active"},{"display_name":"Nested Execution State Corruption","external_references":[{"id":"GHSA-54gx-3cgr-7mfm","kind":"ghsa","url":"https://github.com/advisories/GHSA-54gx-3cgr-7mfm"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0167","instances":[],"mechanism":"Nested Execution State Corruption","name":"nested-execution-state-corruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'nested-execution-state-corruption')","status":"active"},{"display_name":"Network Partition Consensus Panic Crash","external_references":[{"id":"GHPR-MystenLabs-mysticeti-12","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0168","instances":[],"mechanism":"Network Partition Consensus Panic Crash","name":"network-partition-consensus-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'network-partition-consensus-panic-crash')","status":"active"},{"display_name":"Network Reconnaissance Scanning","external_references":[],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0169","instances":[],"mechanism":"Network Reconnaissance Scanning","name":"network-reconnaissance-scanning","provenance_note":"known-but-not-reproduced coverage gap (technique 'network-reconnaissance-scanning')","status":"active"},{"display_name":"Network-Triggered Runtime DoS","external_references":[{"id":"CVE-2020-28362","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-28362"},{"id":"CVE-2024-1931","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1931"},{"id":"CVE-2025-61728","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61728"},{"id":"CVE-2026-3635","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3635"},{"id":"CVE-2026-48110","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48110"},{"id":"GHPR-paradigmxyz-reth-25185","kind":"vendor-advisory"}],"family":"supply-chain","first_seen":"2020-01-01","id":"NRDAX-T0170","instances":[],"mechanism":"Network-Triggered Runtime DoS","name":"network-triggered-runtime-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'network-triggered-runtime-dos')","status":"active"},{"display_name":"Nil Node Dereference Panic","external_references":[{"id":"GHPR-ElementsProject-lightning-8780","kind":"vendor-advisory"},{"id":"GHPR-Fantom-foundation-go-opera-127","kind":"vendor-advisory"},{"id":"GHPR-Fantom-foundation-go-opera-250","kind":"vendor-advisory"},{"id":"GHPR-Fantom-foundation-go-opera-254","kind":"vendor-advisory"},{"id":"GHPR-btcsuite-btcd-2273","kind":"vendor-advisory"},{"id":"GHPR-filecoin-project-venus-5454","kind":"vendor-advisory"},{"id":"GHPR-osmosis-labs-osmosis-9467","kind":"vendor-advisory"},{"id":"GHREL-Fantom-foundation-go-opera-v1.1.0-rc.3","kind":"vendor-advisory"}],"family":"compute_amp","first_seen":"2026-07-02","id":"NRDAX-T0171","instances":[{"bundle_ref":"geth_les_getproofsv2_dos","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2020-26264","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26264"}],"fidelity":"lab","primitive_id":"geth_les_getproofsv2_dos"},{"bundle_ref":"geth_snap_trienode_dos","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v","kind":"ghsa","url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-59hh-656j-3p7v"}],"fidelity":"lab","primitive_id":"geth_snap_trienode_dos"}],"mechanism":"CVE-2020-26264: a crafted LES GetProofsV2 storage-proof request (non-empty AccKey for a non-existent account) dereferences a nil account trie in the les server's GetProofsV2 handler → panic/crash (get","name":"nil-node-dereference-panic","provenance_note":"imported from nr_registry cluster 'nil-node-dereference-panic'","status":"active"},{"display_name":"Nil Reference Panic Crash","external_references":[{"id":"GHPR-CosmWasm-wasmd-2382","kind":"vendor-advisory"},{"id":"GHPR-cosmos-cosmos-sdk-26527","kind":"vendor-advisory"},{"id":"GHPR-cosmos-cosmos-sdk-26571","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0172","instances":[],"mechanism":"Nil Reference Panic Crash","name":"nil-reference-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'nil-reference-panic-crash')","status":"active"},{"display_name":"Nil Response Consensus Engine Panic","external_references":[{"id":"GHPR-ava-labs-avalanchego-5547","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0173","instances":[],"mechanism":"Nil Response Consensus Engine Panic","name":"nil-response-consensus-engine-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'nil-response-consensus-engine-panic')","status":"active"},{"display_name":"Non-Exploitable Cryptographic Defect","external_references":[{"id":"GHSA-2cgv-28vr-rv6j","kind":"ghsa","url":"https://github.com/advisories/GHSA-2cgv-28vr-rv6j"},{"id":"GHSA-434v-x5qv-pmh6","kind":"ghsa","url":"https://github.com/advisories/GHSA-434v-x5qv-pmh6"},{"id":"GHSA-q29p-9pfr-j652","kind":"ghsa","url":"https://github.com/advisories/GHSA-q29p-9pfr-j652"},{"id":"RUSTSEC-2026-0126","kind":"vendor-advisory","url":"https://rustsec.org/advisories/RUSTSEC-2026-0126.html"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0174","instances":[],"mechanism":"Non-Exploitable Cryptographic Defect","name":"non-exploitable-cryptographic-defect","provenance_note":"known-but-not-reproduced coverage gap (technique 'non-exploitable-cryptographic-defect')","status":"active"},{"display_name":"Nonce Sequencing Proposal Degradation","external_references":[{"id":"GHSA-2557-x9mg-76w8","kind":"ghsa","url":"https://github.com/advisories/GHSA-2557-x9mg-76w8"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0175","instances":[],"mechanism":"Nonce Sequencing Proposal Degradation","name":"nonce-sequencing-proposal-degradation","provenance_note":"known-but-not-reproduced coverage gap (technique 'nonce-sequencing-proposal-degradation')","status":"active"},{"display_name":"Nondeterministic Execution Consensus Split","external_references":[{"id":"CVE-2021-41135","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-41135"},{"id":"GHSA-4wf3-5qj9-368v","kind":"ghsa","url":"https://github.com/advisories/GHSA-4wf3-5qj9-368v"},{"id":"GHSA-fpgj-cr28-fvpx","kind":"ghsa","url":"https://github.com/advisories/GHSA-fpgj-cr28-fvpx"},{"id":"GHSA-jg6f-48ff-5xrw","kind":"ghsa","url":"https://github.com/advisories/GHSA-jg6f-48ff-5xrw"}],"family":"consensus","first_seen":"2021-01-01","id":"NRDAX-T0176","instances":[],"mechanism":"Nondeterministic Execution Consensus Split","name":"nondeterministic-execution-consensus-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'nondeterministic-execution-consensus-split')","status":"active"},{"display_name":"Notification Handle Drop CPU Exhaustion","external_references":[{"id":"GHREL-paritytech-polkadot-sdk-polkadot-stable2503-1","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0177","instances":[],"mechanism":"Notification Handle Drop CPU Exhaustion","name":"notification-handle-drop-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'notification-handle-drop-cpu-exhaustion')","status":"active"},{"display_name":"Null-Deref Crash via Crafted Input","external_references":[{"id":"CVE-2021-3712","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3712"}],"family":"crypto","first_seen":"2021-01-01","id":"NRDAX-T0178","instances":[],"mechanism":"Null-Deref Crash via Crafted Input","name":"null-deref-crash-crafted-input","provenance_note":"known-but-not-reproduced coverage gap (technique 'null-deref-crash-crafted-input')","status":"active"},{"display_name":"Numeric Field Parsing Memory Exhaustion","external_references":[{"id":"GHREL-IntersectMBO-cardano-node-8.9.2","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0179","instances":[],"mechanism":"Numeric Field Parsing Memory Exhaustion","name":"numeric-field-parsing-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'numeric-field-parsing-memory-exhaustion')","status":"active"},{"display_name":"OIDC Identity Verification Bypass","external_references":[{"id":"CVE-2026-55075","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55075"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0180","instances":[],"mechanism":"OIDC Identity Verification Bypass","name":"oidc-identity-verification-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'oidc-identity-verification-bypass')","status":"active"},{"display_name":"Onion Message Parsing OOM","external_references":[{"id":"CVE-2024-38359","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38359"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0181","instances":[],"mechanism":"Onion Message Parsing OOM","name":"onion-message-parsing-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'onion-message-parsing-oom')","status":"active"},{"display_name":"Optimistic ACK Congestion Window Manipulation","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0182","instances":[{"bundle_ref":"quic_optimistic_ack_cwnd_growth","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2025-4820 / GHSA-2v9p-3p3h-w56j — https://github.com/cloudflare/quiche/security/advisories/GHSA-2v9p-3p3h-w56j (see also https://blog.cloudflare.com/defending-quic-from-acknowledgement-based-ddos-attacks/ and RFC 9000 §21.4 Optimistic ACK Attack). cloudflare/quiche < 0.24.4 incorrectly grows its congestion window in response to ACK frames that acknowledge packets the peer never received (optimistic / opportunistic ACK), allowing more bytes in flight than the path supports and transmission faster than the path can handle. Fixed in quiche 0.24.4 (dynamic CWND-aware packet-number skipping so a forward ACK for a not-yet-sent packet number is caught).","kind":"cve"}],"fidelity":"lab","primitive_id":"quic_optimistic_ack_cwnd_growth"},{"bundle_ref":"quiche_ack_never_sent_cwnd","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"quiche_ack_never_sent_cwnd"}],"mechanism":"quiche optimistic-ACK congestion-window growth (CVE-2025-4820): a QUIC peer completes a handshake, initiates a congestion-controlled transfer toward itself, then sends ACK frames (type 0x02 / 0x03) ac","name":"optimistic-ack-congestion-window-manipulation","provenance_note":"imported from nr_registry cluster 'optimistic-ack-congestion-window-manipulation'","status":"active"},{"display_name":"Orphan Transaction Processing DoS","external_references":[{"id":"CVE-2024-52914","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52914"}],"family":"ledger-tx","first_seen":"2024-01-01","id":"NRDAX-T0183","instances":[],"mechanism":"Orphan Transaction Processing DoS","name":"orphan-tx-processing-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'orphan-tx-processing-dos')","status":"active"},{"display_name":"Orphan Tx Resolution CPU Amplification","external_references":[],"family":"compute_amp","first_seen":"2026-07-01","id":"NRDAX-T0184","instances":[{"bundle_ref":"btc_orphan_cpu","chain":"litecoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose-orphan-dos/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose-orphan-dos/"}],"fidelity":"lab","primitive_id":"btc_orphan_cpu"}],"mechanism":"CVE-2024-52914: orphan-tx re-resolution O(outputs × 100 orphans) of expensive txs → multi-hour CPU stall","name":"orphan-tx-resolution-cpu-amplification","provenance_note":"imported from nr_registry cluster 'orphan-tx-resolution-cpu-amplification'","status":"active"},{"display_name":"Out-Of-Order Stream Reassembly OOM","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0185","instances":[{"bundle_ref":"quinn_gap_fragment_reassembly_oom","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"GHSA-4w2j-m93h-cj5j (https://github.com/advisories/GHSA-4w2j-m93h-cj5j) / RUSTSEC-2026-0185 (https://rustsec.org/advisories/RUSTSEC-2026-0185.html) — quinn-proto: remote memory exhaustion from unbounded out-of-order stream reassembly. The per-stream `Assembler` retains out-of-order received STREAM data until a contiguous prefix can be delivered; a peer sending many small STREAM fragments at gapped (non-contiguous) offsets forces un-coalescible entries whose per-fragment overhead grows without bound while never becoming deliverable.","kind":"ghsa"}],"fidelity":"lab","primitive_id":"quinn_gap_fragment_reassembly_oom"}],"mechanism":"quinn-proto out-of-order stream reassembly memory exhaustion (GHSA-4w2j-m93h-cj5j / RUSTSEC-2026-0185, CVSS 7.5 AV:N/AC:L/PR:N/UI:N/A:H, CWE-770; affected quinn-proto < 0.11.15, fixed 0.11.15). An una","name":"out-of-order-stream-reassembly-oom","provenance_note":"imported from nr_registry cluster 'out-of-order-stream-reassembly-oom'","status":"active"},{"display_name":"Oversized Block Execution Panic Crash","external_references":[{"id":"GHPR-OffchainLabs-go-ethereum-522","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0186","instances":[],"mechanism":"Oversized Block Execution Panic Crash","name":"oversized-block-execution-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'oversized-block-execution-panic-crash')","status":"active"},{"display_name":"Oversized Block Response Flood","external_references":[],"family":"memory_amp","first_seen":"2026-07-04","id":"NRDAX-T0187","instances":[{"bundle_ref":"cometbft_blocksync_flood","chain":"cosmos","discovery_origin":"original-research","external_references":[{"id":"https://github.com/cometbft/cometbft/blob/v0.38.22/consensus/reactor.go","kind":"vendor-advisory","url":"https://github.com/cometbft/cometbft/blob/v0.38.22/consensus/reactor.go"}],"fidelity":"lab","primitive_id":"cometbft_blocksync_flood"}],"mechanism":"CometBFT BlocksyncChannel(0x40) oversized BlockResponse (up to 9000 CommitSigs, ~900KB): the Block decode + ValidateBasic at https://github.com/cometbft/cometbft/blob/v0.38.22/blocksync/reactor.go is ","name":"oversized-block-response-flood","provenance_note":"imported from nr_registry cluster 'oversized-block-response-flood'","status":"active"},{"display_name":"Oversized Control-Message Array CPU Burn","external_references":[{"id":"CVE-2026-49866","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49866"},{"id":"GHPR-Conflux-Chain-conflux-rust-3539","kind":"vendor-advisory"}],"family":"gossip_abuse","first_seen":"2026-01-01","id":"NRDAX-T0188","instances":[{"bundle_ref":"gossipsub_ihave_iwant_flood","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2026-49866","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49866"}],"fidelity":"lab","primitive_id":"gossipsub_ihave_iwant_flood"}],"mechanism":"CVE-2026-49866: gossipsub oversized IHAVE/IWANT control-message arrays (huge messageID lists) → per-ID processing → CPU DoS","name":"oversized-control-message-array-cpu-burn","provenance_note":"imported from nr_registry cluster 'oversized-control-message-array-cpu-burn'","status":"active"},{"display_name":"Oversized Field Buffer Overflow","external_references":[{"id":"CVE-2020-26160","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26160"},{"id":"CVE-2022-29077","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29077"},{"id":"GHPR-Conflux-Chain-conflux-rust-3560","kind":"vendor-advisory"},{"id":"GHPR-filecoin-project-lotus-13306","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0189","instances":[],"mechanism":"Oversized Field Buffer Overflow","name":"oversized-field-buffer-overflow","provenance_note":"known-but-not-reproduced coverage gap (technique 'oversized-field-buffer-overflow')","status":"active"},{"display_name":"Oversized Hex String Parsing CPU Exhaustion","external_references":[{"id":"GHPR-tronprotocol-java-tron-6693","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0190","instances":[],"mechanism":"Oversized Hex String Parsing CPU Exhaustion","name":"oversized-hex-string-parsing-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'oversized-hex-string-parsing-cpu-exhaustion')","status":"active"},{"display_name":"Oversized Script Validation Bypass","external_references":[{"id":"CVE-2022-44797","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-44797"},{"id":"CVE-2024-34149","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34149"}],"family":"ledger-tx","first_seen":"2022-01-01","id":"NRDAX-T0191","instances":[],"mechanism":"Oversized Script Validation Bypass","name":"oversized-script-validation-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'oversized-script-validation-bypass')","status":"active"},{"display_name":"Oversized Transaction Block-Fill","external_references":[{"id":"CVE-2024-8421","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8421"}],"family":"gossip_abuse","first_seen":"2024-01-01","id":"NRDAX-T0192","instances":[{"bundle_ref":"zcash_sapling_woodchip_tx_flood","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2019-11636","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-11636"}],"fidelity":"lab","primitive_id":"zcash_sapling_woodchip_tx_flood"}],"mechanism":"CVE-2019-11636 (Zcash 'Sapling Wood-Chipper'): Zcash 2.x raised the max transaction size from 100 KB to the full block size after Sapling, letting an attacker cheaply build block-filling shielded txs ","name":"oversized-transaction-block-fill","provenance_note":"imported from nr_registry cluster 'oversized-transaction-block-fill'","status":"active"},{"display_name":"P2P Layer Memory Leak OOM","external_references":[{"id":"GHREL-MystenLabs-sui-devnet-0.7.0","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.16.0-rc.3","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.24.0","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.24.0-rc.3","kind":"vendor-advisory"},{"id":"GHREL-paritytech-polkadot-sdk-polkadot-stable2407-1","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0193","instances":[],"mechanism":"P2P Layer Memory Leak OOM","name":"p2p-memory-leak-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'p2p-memory-leak-oom')","status":"active"},{"display_name":"P2P Message Race Condition Crash","external_references":[{"id":"CVE-2024-32985","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32985"},{"id":"GHPR-ava-labs-coreth-1284","kind":"vendor-advisory"},{"id":"GHPR-btcsuite-btcd-2480","kind":"vendor-advisory"},{"id":"GHPR-libp2p-go-libp2p-3034","kind":"vendor-advisory"},{"id":"GHPR-libp2p-js-libp2p-2986","kind":"vendor-advisory"},{"id":"GHREL-Fantom-foundation-go-opera-v1.1.0-rc.2","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0194","instances":[],"mechanism":"P2P Message Race Condition Crash","name":"p2p-message-race-condition-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'p2p-message-race-condition-crash')","status":"active"},{"display_name":"Path Challenge Response Memory Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0195","instances":[{"bundle_ref":"quic_go_path_challenge_flood","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2023-49295 / GHSA-ppxx-5m9h-6vxf — quic-go/quic-go: 'Memory Exhaustion Attack against QUIC's Path Validation Mechanism.' An attacker floods the peer with a large number of PATH_CHALLENGE frames (RFC 9000 §8.2 requires a PATH_RESPONSE for each), then prevents those responses from being sent by collapsing the peer's congestion window (selective ACK) and manipulating its RTT estimate — so the un-sendable PATH_RESPONSE frames queue internally without bound, exhausting memory (availability DoS, severity Moderate). No workaround; the fix bounds retained path-validation state. Affected quic-go v0.40.0, <= v0.39.3, <= v0.38.1, <= v0.37.6; fixed v0.40.1, v0.39.4, v0.38.2, v0.37.7. Reported by marten-seemann. Advisory: https://github.com/quic-go/quic-go/security/advisories/GHSA-ppxx-5m9h-6vxf","kind":"cve"}],"fidelity":"lab","primitive_id":"quic_go_path_challenge_flood"}],"mechanism":"quic-go QUIC path-validation memory exhaustion (CVE-2023-49295): flood of QUIC v1 short-header (1-RTT) packets each carrying PATH_CHALLENGE frame(s) (type 0x1a + 8B challenge data). Each PATH_CHALLENG","name":"path-challenge-response-memory-exhaustion","provenance_note":"imported from nr_registry cluster 'path-challenge-response-memory-exhaustion'","status":"active"},{"display_name":"Path Migration Challenge Queue Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0196","instances":[{"bundle_ref":"quiche_path_challenge_queue","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2023-6193 / GHSA-w3vp-jw9m-f9pm — cloudflare/quiche: 'Unbounded queuing of path validation messages.' QUIC path validation (RFC 9000 §8.2) makes the recipient of a PATH_CHALLENGE frame (type 0x1a) reply with a PATH_RESPONSE (type 0x1b) echoing the 8-byte challenge. An unauthenticated remote attacker sends PATH_CHALLENGE frames — changing source address so each path migration forces path validation — and manipulates the connection (e.g. restricting the peer's congestion window) so PATH_RESPONSEs can only be sent slower than PATH_CHALLENGEs are received; quiche stores the path-validation data in an UNBOUNDED queue, so memory grows without limit for the connection's lifetime (availability DoS, CWE-400, CVSS 3.1 5.3 Moderate). Affected quiche 0.15.0 through 0.19.0; fixed in 0.19.1. Advisory: https://github.com/cloudflare/quiche/security/advisories/GHSA-w3vp-jw9m-f9pm","kind":"cve"}],"fidelity":"lab","primitive_id":"quiche_path_challenge_queue"}],"mechanism":"quiche QUIC PATH_CHALLENGE unbounded-queue flood (CVE-2023-6193): flood of QUIC 1-RTT short-header packets on one DCID arriving from CHANGING source paths (rotating loopback 4-tuples = QUIC connection","name":"path-migration-challenge-queue-exhaustion","provenance_note":"imported from nr_registry cluster 'path-migration-challenge-queue-exhaustion'","status":"active"},{"display_name":"Payload Window Overflow Memory Exhaustion","external_references":[{"id":"GHPR-dfinity-ic-10547","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0197","instances":[],"mechanism":"Payload Window Overflow Memory Exhaustion","name":"payload-window-overflow-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'payload-window-overflow-memory-exhaustion')","status":"active"},{"display_name":"Peer List Sort CPU Amplification","external_references":[],"family":"compute_amp","first_seen":"2026-07-07","id":"NRDAX-T0198","instances":[{"bundle_ref":"cardano_peershare_sort_cpu","chain":"cardano","discovery_origin":"original-research","external_references":[{"id":"https://github.com/IntersectMBO/ouroboros-network/blob/master/ouroboros-network/lib/Ouroboros/Network/PeerSharing.hs","kind":"vendor-advisory","url":"https://github.com/IntersectMBO/ouroboros-network/blob/master/ouroboros-network/lib/Ouroboros/Network/PeerSharing.hs"}],"fidelity":"lab","primitive_id":"cardano_peershare_sort_cpu"}],"mechanism":"Cardano PeerSharing MsgShareRequest O(N log N) sort CPU amp: sortBy+hashWithSalt over the ~3000-peer known set per request (~170 us), no idle timeout (Codec.hs:160), no per-peer rate limit. One post-h","name":"peer-list-sort-cpu-amplification","provenance_note":"imported from nr_registry cluster 'peer-list-sort-cpu-amplification'","status":"active"},{"display_name":"Peer-Record Flood OOM","external_references":[{"id":"CVE-2023-40583","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40583"},{"id":"CVE-2026-35405","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35405"},{"id":"GHPR-NethermindEth-nethermind-12211","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v0.23.6","kind":"vendor-advisory"}],"family":"gossip_abuse","first_seen":"2023-01-01","id":"NRDAX-T0199","instances":[{"bundle_ref":"libp2p_signed_peer_record_flood","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-gcq9-qqwx-rgj3","kind":"ghsa","url":"https://github.com/advisories/GHSA-gcq9-qqwx-rgj3"}],"fidelity":"lab","primitive_id":"libp2p_signed_peer_record_flood"}],"mechanism":"CVE-2023-40583: unchecked signed peer-record flood (peer-exchange) → go-libp2p peerstore OOM","name":"peer-record-flood-oom","provenance_note":"imported from nr_registry cluster 'peer-record-flood-oom'","status":"active"},{"display_name":"Peer Record Signature Bypass Impersonation","external_references":[{"id":"GHSA-wc36-xgcc-jwpr","kind":"ghsa","url":"https://github.com/advisories/GHSA-wc36-xgcc-jwpr"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0200","instances":[],"mechanism":"Peer Record Signature Bypass Impersonation","name":"peer-record-signature-bypass-impersonation","provenance_note":"known-but-not-reproduced coverage gap (technique 'peer-record-signature-bypass-impersonation')","status":"active"},{"display_name":"Peer Reputation Demotion Race Crash","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v0.5.0","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0201","instances":[],"mechanism":"Peer Reputation Demotion Race Crash","name":"peer-reputation-demotion-race-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'peer-reputation-demotion-race-crash')","status":"active"},{"display_name":"Peer Timestamp Skew Manipulation","external_references":[],"family":"consensus_abuse","first_seen":"2026-07-08","id":"NRDAX-T0202","instances":[{"bundle_ref":"timejacking_peer_time_skew","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md","kind":"vendor-advisory","url":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md"}],"fidelity":"lab","primitive_id":"timejacking_peer_time_skew"}],"mechanism":"Timejacking (SlowMist Blockchain Common Vulnerability List; Culubas 2011): N peers advertise a version.timestamp skewed ~+70min (inside the AddTimeData ±70min acceptance window) → each peer's derived ","name":"peer-timestamp-skew-manipulation","provenance_note":"imported from nr_registry cluster 'peer-timestamp-skew-manipulation'","status":"active"},{"display_name":"Ping Flood Pending Frame OOM","external_references":[],"family":"memory_amp","first_seen":"2026-07-11","id":"NRDAX-T0203","instances":[{"bundle_ref":"yamux_ping_flood_pending_frames_oom","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/libp2p/rust-yamux/security/advisories/GHSA-3999-5ffv-wp2r","kind":"ghsa","url":"https://github.com/libp2p/rust-yamux/security/advisories/GHSA-3999-5ffv-wp2r"}],"fidelity":"lab","primitive_id":"yamux_ping_flood_pending_frames_oom"}],"mechanism":"CVE-2024-32984 (GHSA-3999-5ffv-wp2r): rust-yamux (0.13.0 .. <0.13.2) buffers frames-to-send in an unbounded `pending_frames` VecDeque. A remote peer floods Ping frames (each enqueues a Pong reply) and","name":"ping-flood-pending-frame-oom","provenance_note":"imported from nr_registry cluster 'ping-flood-pending-frame-oom'","status":"active"},{"display_name":"Pre-Handshake Buffer Reservation Exhaustion","external_references":[{"id":"GHSA-h72h-ppcx-998p","kind":"ghsa","url":"https://github.com/advisories/GHSA-h72h-ppcx-998p"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0204","instances":[],"mechanism":"Pre-Handshake Buffer Reservation Exhaustion","name":"pre-handshake-buffer-reservation-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'pre-handshake-buffer-reservation-exhaustion')","status":"active"},{"display_name":"Pre-Handshake Crypto CPU Burn","external_references":[{"id":"CVE-2022-0778","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-0778"}],"family":"compute_amp","first_seen":"2022-01-01","id":"NRDAX-T0205","instances":[{"bundle_ref":"btc_bip324_prehandshake_ecdh_cpu","chain":"bitcoin","discovery_origin":"original-research","external_references":[{"id":"https://github.com/bitcoin/bitcoin/blob/master/src/bip324.cpp","kind":"vendor-advisory","url":"https://github.com/bitcoin/bitcoin/blob/master/src/bip324.cpp"}],"fidelity":"lab","primitive_id":"btc_bip324_prehandshake_ecdh_cpu"},{"bundle_ref":"casper_p521_preauth_verify_burn","chain":"casper","discovery_origin":"original-research","external_references":[{"id":"casper-node @ee2fe18 tls.rs:500-540 P-521 verify; CSPR-H1","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"casper_p521_preauth_verify_burn"},{"bundle_ref":"cfx_ecies_preauth_ecdh_burn","chain":"conflux","discovery_origin":"original-research","external_references":[{"id":"conflux-rust @2dfb5f91 handshake.rs:173-197 + cfx_crypto crypto.rs:150; CFX-H1","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"cfx_ecies_preauth_ecdh_burn"},{"bundle_ref":"cometbft_mconn_handshake_burn","chain":"cosmos","discovery_origin":"original-research","external_references":[{"id":"cometbft-secretconnection-preauth-handshake-cpu-burn","kind":"nr-brief","url":"https://nullrabbit.ai/research/cometbft-secretconnection-preauth-handshake-cpu-burn"},{"id":"https://github.com/cometbft/cometbft/blob/v0.38.22/p2p/conn/secret_connection.go","kind":"vendor-advisory","url":"https://github.com/cometbft/cometbft/blob/v0.38.22/p2p/conn/secret_connection.go"}],"fidelity":"lab","primitive_id":"cometbft_mconn_handshake_burn"},{"bundle_ref":"icon_goloop_preauth_ecdh_burn","chain":"icon","discovery_origin":"original-research","external_references":[{"id":"goloop @67f6ff8 secure.go:226 ScalarMult; H-ICX-1","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"icon_goloop_preauth_ecdh_burn"},{"bundle_ref":"go_libp2p_oversized_rsa_key_cpu_burn","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg","kind":"ghsa","url":"https://github.com/libp2p/go-libp2p/security/advisories/GHSA-876p-8259-xjgg"}],"fidelity":"lab","primitive_id":"go_libp2p_oversized_rsa_key_cpu_burn"},{"bundle_ref":"qtum_bip324_prehandshake_ecdh_cpu","chain":"qtum","discovery_origin":"original-research","external_references":[{"id":"https://github.com/qtumproject/qtum — src/net.h:95 DEFAULT_V2_TRANSPORT{true} (BIP-324 v2 on by default), src/net.cpp:1140-1147 inbound accept + src/bip324.cpp:41-64 pre-auth ellswift ECDH + HKDF-SHA256 key derivation BEFORE any auth/allowlist/rate-limit; mainnet P2P port 3888; BIP-324 salt string 'qtum_v2_shared_secret' (only salt/network-magic/port diverge from Bitcoin Core).","kind":"vendor-advisory","url":"https://github.com/qtumproject/qtum — src/net.h:95 DEFAULT_V2_TRANSPORT{true} (BIP-324 v2 on by default), src/net.cpp:1140-1147 inbound accept + src/bip324.cpp:41-64 pre-auth ellswift ECDH + HKDF-SHA256 key derivation BEFORE any auth/allowlist/rate-limit; mainnet P2P port 3888; BIP-324 salt string 'qtum_v2_shared_secret' (only salt/network-magic/port diverge from Bitcoin Core)."}],"fidelity":"lab","primitive_id":"qtum_bip324_prehandshake_ecdh_cpu"},{"bundle_ref":"rippled_overlay_handshake_ecdsa_burn","chain":"xrp","discovery_origin":"original-research","external_references":[{"id":"https://github.com/XRPLF/rippled (overlay peer handshake: Handshake.cpp:318 verifyDigest -> PublicKey.cpp:222-267 secp256k1_ecdsa_verify; per-IP Resource::Consumer at OverlayImpl.cpp:235)","kind":"vendor-advisory","url":"https://github.com/XRPLF/rippled (overlay peer handshake: Handshake.cpp:318 verifyDigest -> PublicKey.cpp:222-267 secp256k1_ecdsa_verify; per-IP Resource::Consumer at OverlayImpl.cpp:235)"}],"fidelity":"lab","primitive_id":"rippled_overlay_handshake_ecdsa_burn"}],"mechanism":"Bitcoin Core BIP-324 v2 transport pre-auth CPU burn: the 64-byte inbound ellswift key triggers secp256k1 ellswift ECDH + HKDF-SHA256 BEFORE any auth/rate-limit; only the soft 125-inbound cap gates, ac","name":"pre-handshake-crypto-cpu-burn","provenance_note":"imported from nr_registry cluster 'pre-handshake-crypto-cpu-burn'","status":"active"},{"display_name":"Pre-Handshake Packet Flood","external_references":[],"family":"connection_exhaustion","first_seen":"2026-07-01","id":"NRDAX-T0206","instances":[{"bundle_ref":"geth_rlpx_auth_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://notes.ethereum.org/gDWKW5RtSym02t2aGYkmSQ","kind":"vendor-advisory","url":"https://notes.ethereum.org/gDWKW5RtSym02t2aGYkmSQ"}],"fidelity":"lab","primitive_id":"geth_rlpx_auth_flood"}],"mechanism":"EL-2026-06 (EF public-disclosure): RLPx pre-auth packet flood → CPU/bandwidth exhaustion","name":"pre-handshake-packet-flood","provenance_note":"imported from nr_registry cluster 'pre-handshake-packet-flood'","status":"active"},{"display_name":"Pre-Verify Gossip Flood","external_references":[],"family":"consensus_abuse","first_seen":"2026-07-04","id":"NRDAX-T0207","instances":[{"bundle_ref":"cometbft_proposal_flood","chain":"cosmos","discovery_origin":"original-research","external_references":[{"id":"https://github.com/cometbft/cometbft/blob/v0.38.22/consensus/reactor.go","kind":"vendor-advisory","url":"https://github.com/cometbft/cometbft/blob/v0.38.22/consensus/reactor.go"}],"fidelity":"lab","primitive_id":"cometbft_proposal_flood"},{"bundle_ref":"cometbft_vote_flood","chain":"cosmos","discovery_origin":"original-research","external_references":[{"id":"https://github.com/cometbft/cometbft/blob/v0.38.22/consensus/reactor.go","kind":"vendor-advisory","url":"https://github.com/cometbft/cometbft/blob/v0.38.22/consensus/reactor.go"}],"fidelity":"lab","primitive_id":"cometbft_vote_flood"}],"mechanism":"CometBFT consensus DataChannel(0x21) ProposalMessage flood: valid-shape Proposal passes ValidateBasic but the RLock+queue path runs before deferred sig-verify — the N1.4 family HEAD (vote-flood + bloc","name":"pre-verify-gossip-flood","provenance_note":"imported from nr_registry cluster 'pre-verify-gossip-flood'","status":"active"},{"display_name":"Precompile Cryptographic Miscomputation","external_references":[{"id":"CVE-2025-54426","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54426"}],"family":"crypto","first_seen":"2025-01-01","id":"NRDAX-T0208","instances":[],"mechanism":"Precompile Cryptographic Miscomputation","name":"precompile-cryptographic-miscomputation","provenance_note":"known-but-not-reproduced coverage gap (technique 'precompile-cryptographic-miscomputation')","status":"active"},{"display_name":"Predicate Verification Liveness DoS","external_references":[{"id":"GHPR-ava-labs-subnet-evm-823","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0209","instances":[],"mechanism":"Predicate Verification Liveness DoS","name":"predicate-verification-liveness-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'predicate-verification-liveness-dos')","status":"active"},{"display_name":"Premature Disconnect Request Handling Crash","external_references":[{"id":"CVE-2026-41585","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41585"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0210","instances":[],"mechanism":"Premature Disconnect Request Handling Crash","name":"premature-disconnect-request-handling-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'premature-disconnect-request-handling-crash')","status":"active"},{"display_name":"Premature Processing Index-Out-Of-Range Panic","external_references":[],"family":"consensus_abuse","first_seen":"2026-07-07","id":"NRDAX-T0211","instances":[{"bundle_ref":"cometbft_voteext_panic","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj","kind":"ghsa","url":"https://github.com/cometbft/cometbft/security/advisories/GHSA-p7mv-53f2-4cwj"}],"fidelity":"lab","primitive_id":"cometbft_voteext_panic"}],"mechanism":"GHSA-p7mv-53f2-4cwj (ASA-2024-011): a Precommit with a non-nil BlockID + an attached vote extension is handled BEFORE the ValidatorIndex is verified → out-of-range ValidatorIndex → index-out-of-range ","name":"premature-processing-index-out-of-range-panic","provenance_note":"imported from nr_registry cluster 'premature-processing-index-out-of-range-panic'","status":"active"},{"display_name":"Proof Verification Bypass","external_references":[{"id":"CVE-2026-35679","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35679"}],"family":"economic-defi","first_seen":"2026-01-01","id":"NRDAX-T0212","instances":[],"mechanism":"Proof Verification Bypass","name":"proof-verification-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'proof-verification-bypass')","status":"active"},{"display_name":"Protocol Message CPU Burn","external_references":[{"id":"CVE-2026-22868","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22868"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0213","instances":[],"mechanism":"Protocol Message CPU Burn","name":"protocol-message-cpu-burn","provenance_note":"known-but-not-reproduced coverage gap (technique 'protocol-message-cpu-burn')","status":"active"},{"display_name":"Protocol Message Flood Unbounded Goroutine","external_references":[{"id":"CVE-2023-40591","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40591"},{"id":"GHPR-algorand-go-algorand-5734","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2023-01-01","id":"NRDAX-T0214","instances":[{"bundle_ref":"geth_devp2p_ping_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm","kind":"ghsa","url":"https://github.com/ethereum/go-ethereum/security/advisories/GHSA-ppjg-v974-84cm"}],"fidelity":"lab","primitive_id":"geth_devp2p_ping_flood"}],"mechanism":"CVE-2023-40591: post-Hello devp2p PING (0x02) flood → unbounded goroutines → OOM (geth 1.10.0-1.12.0)","name":"protocol-message-flood-unbounded-goroutine","provenance_note":"imported from nr_registry cluster 'protocol-message-flood-unbounded-goroutine'","status":"active"},{"display_name":"Quic 0-RTT Race Memory Exhaustion","external_references":[{"id":"GHPR-quinn-rs-quinn-1821","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0215","instances":[],"mechanism":"Quic 0-RTT Race Memory Exhaustion","name":"quic-0rtt-race-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-0rtt-race-memory-exhaustion')","status":"active"},{"display_name":"QUIC Accept Error Panic Crash","external_references":[{"id":"GHPR-libp2p-go-libp2p-2276","kind":"vendor-advisory"},{"id":"GHPR-libp2p-go-libp2p-2278","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0216","instances":[],"mechanism":"QUIC Accept Error Panic Crash","name":"quic-accept-error-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-accept-error-panic-crash')","status":"active"},{"display_name":"QUIC Amplification Limit Bypass","external_references":[{"id":"CVE-2026-44894","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44894"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0217","instances":[],"mechanism":"QUIC Amplification Limit Bypass","name":"quic-amplification-token-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-amplification-token-bypass')","status":"active"},{"display_name":"Quic Chunks Drop Panic Crash","external_references":[{"id":"GHPR-quinn-rs-quinn-1983","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0218","instances":[],"mechanism":"Quic Chunks Drop Panic Crash","name":"quic-chunks-drop-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-chunks-drop-panic-crash')","status":"active"},{"display_name":"Quic Client Hello Fragmentation Panic","external_references":[{"id":"GHPR-quinn-rs-quinn-2020","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0219","instances":[],"mechanism":"Quic Client Hello Fragmentation Panic","name":"quic-client-hello-fragmentation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-client-hello-fragmentation-panic')","status":"active"},{"display_name":"QUIC Close Frame Parsing Panic","external_references":[{"id":"GHSA-gj4j-vp5f-86cf","kind":"ghsa","url":"https://github.com/advisories/GHSA-gj4j-vp5f-86cf"},{"id":"GHPR-cloudflare-quiche-1341","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0220","instances":[],"mechanism":"QUIC Close Frame Parsing Panic","name":"quic-close-frame-parsing-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-close-frame-parsing-panic')","status":"active"},{"display_name":"QUIC Congestion Control Manipulation","external_references":[{"id":"CVE-2025-4820","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4820"},{"id":"CVE-2025-4821","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-4821"}],"family":"network-p2p","first_seen":"2025-01-01","id":"NRDAX-T0221","instances":[],"mechanism":"QUIC Congestion Control Manipulation","name":"quic-congestion-control-manipulation","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-congestion-control-manipulation')","status":"active"},{"display_name":"QUIC Connection ID Exhaustion","external_references":[{"id":"CVE-2024-1410","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1410"},{"id":"CVE-2024-22189","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22189"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0222","instances":[],"mechanism":"QUIC Connection ID Exhaustion","name":"quic-connection-id-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-connection-id-exhaustion')","status":"active"},{"display_name":"QUIC Connection ID Retirement Infinite Loop","external_references":[{"id":"CVE-2025-7054","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-7054"}],"family":"network-p2p","first_seen":"2025-01-01","id":"NRDAX-T0223","instances":[],"mechanism":"QUIC Connection ID Retirement Infinite Loop","name":"quic-connection-id-retirement-infinite-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-connection-id-retirement-infinite-loop')","status":"active"},{"display_name":"QUIC Connection Migration Duplicate-ID Crash","external_references":[{"id":"GHSA-rfhg-rjfp-9q8q","kind":"ghsa","url":"https://github.com/advisories/GHSA-rfhg-rjfp-9q8q"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0224","instances":[],"mechanism":"QUIC Connection Migration Duplicate-ID Crash","name":"quic-connection-migration-duplicate-id-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-connection-migration-duplicate-id-crash')","status":"active"},{"display_name":"QUIC Control Frame Flood","external_references":[{"id":"GHPR-quic-go-quic-go-4369","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2026-07-11","id":"NRDAX-T0225","instances":[{"bundle_ref":"s2n_quic_stream_limit_exhaustion","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"GHSA-475v-pq2g-fp9g — AWS s2n-quic <= v1.30.0: 's2n-quic potential denial of service via crafted stream frames' — uncontrolled stream-limit increase when closing remote-initiated streams. https://github.com/aws/s2n-quic/security/advisories/GHSA-475v-pq2g-fp9g","kind":"ghsa"}],"fidelity":"lab","primitive_id":"s2n_quic_stream_limit_exhaustion"}],"mechanism":"s2n-quic stream-limit exhaustion (GHSA-475v-pq2g-fp9g): pre-patch `RemoteInitiated::on_close_stream` directly bumped `max_streams_sync` with NO rate limiting, so every close of a remote-initiated stre","name":"quic-control-frame-flood","provenance_note":"imported from nr_registry cluster 'quic-control-frame-flood'","status":"active"},{"display_name":"QUIC Crypto Frame Flood","external_references":[{"id":"CVE-2024-1765","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-1765"},{"id":"CVE-2026-10740","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-10740"}],"family":"network-p2p","first_seen":"2024-01-01","id":"NRDAX-T0226","instances":[],"mechanism":"QUIC Crypto Frame Flood","name":"quic-crypto-frame-flood","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-crypto-frame-flood')","status":"active"},{"display_name":"QUIC Datagram Fragmentation Panic","external_references":[{"id":"GHSA-qh5x-rfwf-rvfv","kind":"ghsa","url":"https://github.com/advisories/GHSA-qh5x-rfwf-rvfv"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0227","instances":[],"mechanism":"QUIC Datagram Fragmentation Panic","name":"quic-datagram-fragmentation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-datagram-fragmentation-panic')","status":"active"},{"display_name":"QUIC Decryption Overflow Crash","external_references":[{"id":"GHPR-cloudflare-quiche-1154","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0228","instances":[],"mechanism":"QUIC Decryption Overflow Crash","name":"quic-decryption-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-decryption-overflow-crash')","status":"active"},{"display_name":"QUIC Early Data Processing Disclosure","external_references":[{"id":"GHPR-cloudflare-quiche-68","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0229","instances":[],"mechanism":"QUIC Early Data Processing Disclosure","name":"quic-early-data-processing-disclosure","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-early-data-processing-disclosure')","status":"active"},{"display_name":"QUIC Empty Header Panic","external_references":[{"id":"GHPR-cloudflare-quiche-1845","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0230","instances":[],"mechanism":"QUIC Empty Header Panic","name":"quic-empty-header-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-empty-header-panic')","status":"active"},{"display_name":"QUIC Handshake State Confusion Crash","external_references":[{"id":"CVE-2025-59530","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59530"},{"id":"CVE-2026-61544","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-61544"},{"id":"GHPR-aws-s2n-quic-3028","kind":"vendor-advisory"},{"id":"GHPR-firedancer-io-firedancer-4967","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2025-01-01","id":"NRDAX-T0231","instances":[],"mechanism":"QUIC Handshake State Confusion Crash","name":"quic-handshake-state-confusion-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-handshake-state-confusion-crash')","status":"active"},{"display_name":"QUIC/HTTP3 Header Memory Exhaustion","external_references":[{"id":"CVE-2026-40898","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40898"},{"id":"CVE-2026-44892","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44892"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0232","instances":[],"mechanism":"QUIC/HTTP3 Header Memory Exhaustion","name":"quic-http3-header-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-http3-header-memory-exhaustion')","status":"active"},{"display_name":"Quic Http3 Nil Pointer Crash","external_references":[{"id":"GHPR-quic-go-quic-go-5671","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0233","instances":[],"mechanism":"Quic Http3 Nil Pointer Crash","name":"quic-http3-nil-pointer-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-http3-nil-pointer-crash')","status":"active"},{"display_name":"QUIC Invalid Length Field Panic","external_references":[{"id":"GHPR-cloudflare-quiche-1314","kind":"vendor-advisory"},{"id":"GHPR-cloudflare-quiche-918","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0234","instances":[],"mechanism":"QUIC Invalid Length Field Panic","name":"quic-invalid-length-field-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-invalid-length-field-panic')","status":"active"},{"display_name":"QUIC Malformed Packet Crash","external_references":[{"id":"GHSA-hxq4-mx37-fqvg","kind":"ghsa","url":"https://github.com/advisories/GHSA-hxq4-mx37-fqvg"},{"id":"GHREL-firedancer-io-firedancer-v0.708.20306","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0235","instances":[],"mechanism":"QUIC Malformed Packet Crash","name":"quic-malformed-packet-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-malformed-packet-crash')","status":"active"},{"display_name":"Quic Packet Loss Calculation Panic","external_references":[{"id":"GHPR-quinn-rs-quinn-2436","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0236","instances":[],"mechanism":"Quic Packet Loss Calculation Panic","name":"quic-packet-loss-calculation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-packet-loss-calculation-panic')","status":"active"},{"display_name":"QUIC Packet Processing Infinite Loop","external_references":[{"id":"GHREL-firedancer-io-firedancer-v0.105.11814","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0237","instances":[],"mechanism":"QUIC Packet Processing Infinite Loop","name":"quic-packet-processing-infinite-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-packet-processing-infinite-loop')","status":"active"},{"display_name":"QUIC Path Challenge Flood","external_references":[{"id":"CVE-2023-49295","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49295"},{"id":"CVE-2023-6193","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6193"}],"family":"network-p2p","first_seen":"2023-01-01","id":"NRDAX-T0238","instances":[],"mechanism":"QUIC Path Challenge Flood","name":"quic-path-challenge-flood","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-path-challenge-flood')","status":"active"},{"display_name":"QUIC Path Probe Nil-Pointer Crash","external_references":[{"id":"CVE-2025-29785","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-29785"},{"id":"GHPR-quic-go-quic-go-5063","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2025-01-01","id":"NRDAX-T0239","instances":[],"mechanism":"QUIC Path Probe Nil-Pointer Crash","name":"quic-path-probe-nil-pointer-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-path-probe-nil-pointer-crash')","status":"active"},{"display_name":"QUIC Post-Close Packet Processing Crash","external_references":[{"id":"GHPR-aws-s2n-quic-3110","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0240","instances":[],"mechanism":"QUIC Post-Close Packet Processing Crash","name":"quic-post-close-packet-processing-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-post-close-packet-processing-crash')","status":"active"},{"display_name":"QUIC PTO Timer Overflow Crash","external_references":[{"id":"GHPR-cloudflare-quiche-2464","kind":"vendor-advisory"},{"id":"GHPR-cloudflare-quiche-2465","kind":"vendor-advisory"},{"id":"GHPR-cloudflare-quiche-2498","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0241","instances":[],"mechanism":"QUIC PTO Timer Overflow Crash","name":"quic-pto-timer-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-pto-timer-overflow-crash')","status":"active"},{"display_name":"QUIC Socket Queue Spin CPU Burn","external_references":[{"id":"GHPR-aws-s2n-quic-2876","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0242","instances":[],"mechanism":"QUIC Socket Queue Spin CPU Burn","name":"quic-socket-queue-spin-cpu-burn","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-socket-queue-spin-cpu-burn')","status":"active"},{"display_name":"Quic Transport Parameter Overflow Panic","external_references":[{"id":"GHPR-quinn-rs-quinn-2407","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0243","instances":[],"mechanism":"Quic Transport Parameter Overflow Panic","name":"quic-transport-parameter-overflow-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-transport-parameter-overflow-panic')","status":"active"},{"display_name":"QUIC Unauthenticated Close Frame Disruption","external_references":[{"id":"GHPR-aws-s2n-quic-3012","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0244","instances":[],"mechanism":"QUIC Unauthenticated Close Frame Disruption","name":"quic-unauthenticated-close-frame-disruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-unauthenticated-close-frame-disruption')","status":"active"},{"display_name":"QUIC Varint Parsing Panic","external_references":[{"id":"CVE-2026-31812","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31812"},{"id":"GHPR-cloudflare-quiche-2155","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0245","instances":[],"mechanism":"QUIC Varint Parsing Panic","name":"quic-varint-parsing-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'quic-varint-parsing-panic')","status":"active"},{"display_name":"Rate-Limit Key Confusion","external_references":[],"family":"connection_exhaustion","first_seen":"2026-07-09","id":"NRDAX-T0246","instances":[{"bundle_ref":"ic_ingress_pool_quota_miskey","chain":"ic","discovery_origin":"original-research","external_references":[{"id":"https://github.com/dfinity/ic — ingress-pool per-NodeId quota mis-key: HTTP-arriving ingress is inserted with node_id = self.node_id (the carrier replica's OWN NodeId) at rs/http_endpoints/public/src/call.rs:391 (self.node_id set call.rs:104), not the signing principal; the per-peer quota exceeds_limit() then gates one SHARED bucket (rs/artifact_pool/src/ingress_pool.rs:226-232, prod caps ingress_pool_max_count=10000 / ingress_pool_max_bytes=100000000 in rs/ic_os/config/tool/templates/ic.json5.template:49-50), and RemoveFromUnvalidated (rs/ingress_manager/src/ingress_handler.rs:60-76) purges ALL unvalidated ingress for that peer. The IC team's own stale TODO acknowledges the mis-key: rs/interfaces/src/ingress_pool.rs:22-25.","kind":"vendor-advisory","url":"https://github.com/dfinity/ic — ingress-pool per-NodeId quota mis-key: HTTP-arriving ingress is inserted with node_id = self.node_id (the carrier replica's OWN NodeId) at rs/http_endpoints/public/src/call.rs:391 (self.node_id set call.rs:104), not the signing principal; the per-peer quota exceeds_limit() then gates one SHARED bucket (rs/artifact_pool/src/ingress_pool.rs:226-232, prod caps ingress_pool_max_count=10000 / ingress_pool_max_bytes=100000000 in rs/ic_os/config/tool/templates/ic.json5.template:49-50), and RemoveFromUnvalidated (rs/ingress_manager/src/ingress_handler.rs:60-76) purges ALL unvalidated ingress for that peer. The IC team's own stale TODO acknowledges the mis-key: rs/interfaces/src/ingress_pool.rs:22-25."}],"fidelity":"lab","primitive_id":"ic_ingress_pool_quota_miskey"}],"mechanism":"IC ingress-pool per-NodeId quota mis-key (IC_N1_INGRESS_POOL_QUOTA_MISKEY): every HTTP-arriving ingress message buckets under the carrier replica's own NodeId instead of the signing principal (call.rs","name":"rate-limit-key-confusion","provenance_note":"imported from nr_registry cluster 'rate-limit-key-confusion'","status":"active"},{"display_name":"Recursive Callback Stack Overflow Crash","external_references":[{"id":"GHPR-libp2p-js-libp2p-3485","kind":"vendor-advisory"},{"id":"GHREL-paritytech-polkadot-sdk-polkadot-stable2509-8","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0247","instances":[],"mechanism":"Recursive Callback Stack Overflow Crash","name":"recursive-callback-stack-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'recursive-callback-stack-overflow-crash')","status":"active"},{"display_name":"Recursive Filter Expression CPU Blowup","external_references":[],"family":"subscription_cpu_amp","first_seen":"2026-07-03","id":"NRDAX-T0248","instances":[{"bundle_ref":"iota_s1_widefilter_subscribe_cpu","chain":"iota","discovery_origin":"original-research","external_references":[],"fidelity":"lab","primitive_id":"iota_s1_widefilter_subscribe_cpu"}],"mechanism":"IOTA_S1_EVENTFILTER_EXPONENTIAL: iotax_subscribeEvent depth-D balanced Or-tree filter → exponential CPU","name":"recursive-filter-expression-cpu-blowup","provenance_note":"imported from nr_registry cluster 'recursive-filter-expression-cpu-blowup'","status":"active"},{"display_name":"Recursive Message Deserialisation Stack Overflow","external_references":[{"id":"GHPR-tronprotocol-java-tron-6844","kind":"vendor-advisory"}],"family":"compute_amp","first_seen":"2026-07-01","id":"NRDAX-T0249","instances":[{"bundle_ref":"cosmos_protobuf_nest_bomb","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm","kind":"ghsa","url":"https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm"}],"fidelity":"lab","primitive_id":"cosmos_protobuf_nest_bomb"},{"bundle_ref":"sui_move_recursion","chain":"sui","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2023-36184","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-36184"}],"fidelity":"lab","primitive_id":"sui_move_recursion"}],"mechanism":"GHSA-8wcc-m6j2-qxvm (ASA-2024-0012/0013): deeply-nested protobuf Any → TxDecoder/UnpackAny stack-overflow / exponential CPU+mem in CheckTx (pre-validation)","name":"recursive-message-deserialization-stack-overflow","provenance_note":"imported from nr_registry cluster 'recursive-message-deserialization-stack-overflow'","status":"active"},{"display_name":"Regex Schema Validation ReDoS","external_references":[{"id":"CVE-2025-69873","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-69873"}],"family":"network-rpc","first_seen":"2025-01-01","id":"NRDAX-T0250","instances":[],"mechanism":"Regex Schema Validation ReDoS","name":"regex-schema-validation-redos","provenance_note":"known-but-not-reproduced coverage gap (technique 'regex-schema-validation-redos')","status":"active"},{"display_name":"Reorg Batch Size Overflow Crash","external_references":[{"id":"GHPR-OffchainLabs-go-ethereum-439","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0251","instances":[],"mechanism":"Reorg Batch Size Overflow Crash","name":"reorg-batch-size-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'reorg-batch-size-overflow-crash')","status":"active"},{"display_name":"Reorg-Triggered Block Request Crash","external_references":[{"id":"GHPR-ElementsProject-lightning-8779","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0252","instances":[],"mechanism":"Reorg-Triggered Block Request Crash","name":"reorg-triggered-block-request-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'reorg-triggered-block-request-crash')","status":"active"},{"display_name":"Reorg Unfiltered Tx Crash Loop","external_references":[{"id":"GHPR-ethereum-optimism-op-geth-776","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0253","instances":[],"mechanism":"Reorg Unfiltered Tx Crash Loop","name":"reorg-unfiltered-tx-crash-loop","provenance_note":"known-but-not-reproduced coverage gap (technique 'reorg-unfiltered-tx-crash-loop')","status":"active"},{"display_name":"Repair Protocol Legacy Request Stall","external_references":[],"family":"compute_amp","first_seen":"2026-07-09","id":"NRDAX-T0254","instances":[{"bundle_ref":"solana_repair_protocol_dos","chain":"solana","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/solana-labs/solana/releases/tag/v1.1.16 — release note \"Avoid possible repair orphan DoS\"; fix PR https://github.com/solana-labs/solana/pull/10290 (\"Fix run_orphan DOS\", merged 2020-05-28), core/src/serve_repair.rs.","kind":"vendor-advisory","url":"https://github.com/solana-labs/solana/releases/tag/v1.1.16 — release note \"Avoid possible repair orphan DoS\"; fix PR https://github.com/solana-labs/solana/pull/10290 (\"Fix run_orphan DOS\", merged 2020-05-28), core/src/serve_repair.rs."}],"fidelity":"lab","primitive_id":"solana_repair_protocol_dos"}],"mechanism":"Solana repair-protocol orphan DoS (solana-labs/solana v1.1.16, PR #10290): a legacy no-nonce RepairProtocol::Orphan(ContactInfo, slot) request for a slot > UNLOCK_NONCE_SLOT makes the serving node's s","name":"repair-protocol-legacy-request-stall","provenance_note":"imported from nr_registry cluster 'repair-protocol-legacy-request-stall'","status":"active"},{"display_name":"Transaction Replay Auth Bypass","external_references":[{"id":"CVE-2021-25834","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25834"},{"id":"GHSA-3p8h-7v82-ffvq","kind":"ghsa","url":"https://github.com/advisories/GHSA-3p8h-7v82-ffvq"},{"id":"SLOWMIST-TX-REPLAY","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2021-01-01","id":"NRDAX-T0255","instances":[],"mechanism":"Transaction Replay Auth Bypass","name":"replay-auth-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'replay-auth-bypass')","status":"active"},{"display_name":"Replay Status Handling Panic","external_references":[{"id":"GHPR-Fantom-foundation-go-opera-467","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0256","instances":[],"mechanism":"Replay Status Handling Panic","name":"replay-status-handling-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'replay-status-handling-panic')","status":"active"},{"display_name":"Rogue-Key Aggregate Signature Forgery","external_references":[{"id":"CVE-2026-34068","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34068"}],"family":"consensus","first_seen":"2026-01-01","id":"NRDAX-T0257","instances":[],"mechanism":"Rogue-Key Aggregate Signature Forgery","name":"rogue-key-aggregate-signature-forgery","provenance_note":"known-but-not-reproduced coverage gap (technique 'rogue-key-aggregate-signature-forgery')","status":"active"},{"display_name":"RPC Arbitrary File Write","external_references":[{"id":"CVE-2021-3195","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3195"},{"id":"CVE-2026-48769","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48769"}],"family":"network-rpc","first_seen":"2021-01-01","id":"NRDAX-T0258","instances":[],"mechanism":"RPC Arbitrary File Write","name":"rpc-arbitrary-file-write","provenance_note":"known-but-not-reproduced coverage gap (technique 'rpc-arbitrary-file-write')","status":"active"},{"display_name":"RPC Integer Overflow Memory Corruption","external_references":[{"id":"GHPR-firedancer-io-firedancer-10245","kind":"vendor-advisory"},{"id":"GHPR-tronprotocol-java-tron-6694","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0259","instances":[],"mechanism":"RPC Integer Overflow Memory Corruption","name":"rpc-integer-overflow-memory-corruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'rpc-integer-overflow-memory-corruption')","status":"active"},{"display_name":"RPC Parameter Validation Defect","external_references":[{"id":"CVE-2018-16733","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16733"},{"id":"GHPR-Conflux-Chain-conflux-rust-3521","kind":"vendor-advisory"},{"id":"GHPR-Conflux-Chain-conflux-rust-3538","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-8751","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-8813","kind":"vendor-advisory"},{"id":"GHPR-ElementsProject-lightning-9217","kind":"vendor-advisory"},{"id":"GHPR-XRPLF-rippled-7557","kind":"vendor-advisory"},{"id":"GHPR-btcsuite-btcd-2242","kind":"vendor-advisory"},{"id":"GHPR-cosmos-ethermint-487","kind":"vendor-advisory"},{"id":"GHPR-filecoin-project-lotus-13672","kind":"vendor-advisory"},{"id":"GHPR-lightningnetwork-lnd-10904","kind":"vendor-advisory"},{"id":"GHPR-tronprotocol-java-tron-6828","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v0.21.3","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v0.23.5","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.21","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.24","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.14","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.2.19","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2018-01-01","id":"NRDAX-T0260","instances":[],"mechanism":"RPC Parameter Validation Defect","name":"rpc-parameter-validation-defect","provenance_note":"known-but-not-reproduced coverage gap (technique 'rpc-parameter-validation-defect')","status":"active"},{"display_name":"RPC Request Flood","external_references":[],"family":"connection_exhaustion","first_seen":"2026-06-30","id":"NRDAX-T0261","instances":[{"bundle_ref":"eth_getblock_flood","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"https://geth.ethereum.org/docs/interacting-with-geth/rpc","kind":"vendor-advisory","url":"https://geth.ethereum.org/docs/interacting-with-geth/rpc"}],"fidelity":"lab","primitive_id":"eth_getblock_flood"},{"bundle_ref":"sol_rpc_request_flood","chain":"solana","discovery_origin":"original-research","external_references":[{"id":"https://solana.com/news/9-14-network-outage-initial-overview","kind":"vendor-advisory","url":"https://solana.com/news/9-14-network-outage-initial-overview"}],"fidelity":"lab","primitive_id":"sol_rpc_request_flood"},{"bundle_ref":"sui_h02_state_sync_flood","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"https://github.com/MystenLabs/sui/blob/main/crates/sui-network/src/state_sync/builder.rs","kind":"vendor-advisory","url":"https://github.com/MystenLabs/sui/blob/main/crates/sui-network/src/state_sync/builder.rs"}],"fidelity":"lab","primitive_id":"sui_h02_state_sync_flood"}],"mechanism":"eth RPC request-flood (full-tx block fetch sustained at high rate)","name":"rpc-request-flood","provenance_note":"imported from nr_registry cluster 'rpc-request-flood'","status":"active"},{"display_name":"RPC Request Memory Leak","external_references":[{"id":"GHREL-near-nearcore-2.10.0-rc.4","kind":"vendor-advisory"},{"id":"GHREL-ton-blockchain-ton-v2026.02","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0262","instances":[],"mechanism":"RPC Request Memory Leak","name":"rpc-request-memory-leak","provenance_note":"known-but-not-reproduced coverage gap (technique 'rpc-request-memory-leak')","status":"active"},{"display_name":"RPC Serialization Deadlock","external_references":[{"id":"CVE-2023-34450","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34450"}],"family":"network-rpc","first_seen":"2023-01-01","id":"NRDAX-T0263","instances":[],"mechanism":"RPC Serialization Deadlock","name":"rpc-serialization-deadlock","provenance_note":"known-but-not-reproduced coverage gap (technique 'rpc-serialization-deadlock')","status":"active"},{"display_name":"Scope Permission Bypass Unauthorized Write","external_references":[{"id":"CVE-2026-49291","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49291"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0264","instances":[],"mechanism":"Scope Permission Bypass Unauthorized Write","name":"scope-permission-bypass-unauthorized-write","provenance_note":"known-but-not-reproduced coverage gap (technique 'scope-permission-bypass-unauthorized-write')","status":"active"},{"display_name":"Secret Key Validation Missing","external_references":[{"id":"GHSA-435g-fcv3-8j26","kind":"ghsa","url":"https://github.com/advisories/GHSA-435g-fcv3-8j26"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0265","instances":[],"mechanism":"Secret Key Validation Missing","name":"secret-key-validation-missing","provenance_note":"known-but-not-reproduced coverage gap (technique 'secret-key-validation-missing')","status":"active"},{"display_name":"Shred Replay Processing DoS","external_references":[{"id":"GHREL-solana-labs-solana-v1.0.9","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.13.7","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0266","instances":[],"mechanism":"Shred Replay Processing DoS","name":"shred-replay-processing-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'shred-replay-processing-dos')","status":"active"},{"display_name":"Signature Malleability Consensus Manipulation","external_references":[{"id":"CVE-2021-21405","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-21405"}],"family":"consensus","first_seen":"2021-01-01","id":"NRDAX-T0267","instances":[],"mechanism":"Signature Malleability Consensus Manipulation","name":"signature-malleability-consensus-manipulation","provenance_note":"known-but-not-reproduced coverage gap (technique 'signature-malleability-consensus-manipulation')","status":"active"},{"display_name":"Signature Recovery CPU Burn","external_references":[{"id":"GHPR-tronprotocol-java-tron-6782","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0268","instances":[],"mechanism":"Signature Recovery CPU Burn","name":"signature-recovery-cpu-burn","provenance_note":"known-but-not-reproduced coverage gap (technique 'signature-recovery-cpu-burn')","status":"active"},{"display_name":"Signature Verification Bypass","external_references":[{"id":"CVE-2019-15545","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-15545"},{"id":"CVE-2022-31053","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31053"},{"id":"CVE-2026-44714","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44714"},{"id":"GHSA-cp57-fq8g-qh6v","kind":"ghsa","url":"https://github.com/advisories/GHSA-cp57-fq8g-qh6v"},{"id":"GHSA-fhvh-vw7h-9xf3","kind":"ghsa","url":"https://github.com/advisories/GHSA-fhvh-vw7h-9xf3"}],"family":"crypto","first_seen":"2019-01-01","id":"NRDAX-T0269","instances":[],"mechanism":"Signature Verification Bypass","name":"signature-verification-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'signature-verification-bypass')","status":"active"},{"display_name":"Signature Verification OOB Read","external_references":[{"id":"GHPR-firedancer-io-firedancer-10170","kind":"vendor-advisory"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0270","instances":[],"mechanism":"Signature Verification OOB Read","name":"signature-verification-oob-read","provenance_note":"known-but-not-reproduced coverage gap (technique 'signature-verification-oob-read')","status":"active"},{"display_name":"Signer Double-Sign Prevention Gap","external_references":[{"id":"GHPR-Fantom-foundation-go-opera-140","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0271","instances":[],"mechanism":"Signer Double-Sign Prevention Gap","name":"signer-double-sign-prevention-gap","provenance_note":"known-but-not-reproduced coverage gap (technique 'signer-double-sign-prevention-gap')","status":"active"},{"display_name":"Signer Index Overflow Crash","external_references":[{"id":"CVE-2025-59942","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-59942"}],"family":"consensus","first_seen":"2025-01-01","id":"NRDAX-T0272","instances":[],"mechanism":"Signer Index Overflow Crash","name":"signer-index-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'signer-index-overflow-crash')","status":"active"},{"display_name":"Signer Mismatch Bypass","external_references":[{"id":"GHSA-7q74-g774-7x3g","kind":"ghsa","url":"https://github.com/advisories/GHSA-7q74-g774-7x3g"}],"family":"bridge","first_seen":"2020-01-01","id":"NRDAX-T0273","instances":[],"mechanism":"Signer Mismatch Bypass","name":"signer-mismatch-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'signer-mismatch-bypass')","status":"active"},{"display_name":"Sigop Undercount Consensus Split","external_references":[{"id":"CVE-2026-44498","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44498"},{"id":"CVE-2026-52735","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52735"},{"id":"GHSA-qvwc-hc2r-82qv","kind":"ghsa","url":"https://github.com/advisories/GHSA-qvwc-hc2r-82qv"}],"family":"consensus","first_seen":"2026-01-01","id":"NRDAX-T0274","instances":[],"mechanism":"Sigop Undercount Consensus Split","name":"sigop-undercount-consensus-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'sigop-undercount-consensus-split')","status":"active"},{"display_name":"Single-Peer Block-Discovery Stall","external_references":[{"id":"CVE-2024-52922","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52922"},{"id":"CVE-2026-44499","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44499"}],"family":"connection_exhaustion","first_seen":"2024-01-01","id":"NRDAX-T0275","instances":[{"bundle_ref":"btc_cmpctblock_stall","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/11/05/cb-stall-hindering-propagation/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/11/05/cb-stall-hindering-propagation/"}],"fidelity":"lab","primitive_id":"btc_cmpctblock_stall"},{"bundle_ref":"zebra_block_discovery_dos","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2026-44499 / GHSA-h9hm-m2xj-4rq9 — https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-h9hm-m2xj-4rq9 (also https://nvd.nist.gov/vuln/detail/CVE-2026-44499). Permanent Block Discovery Halt in Zebra via Gossip Queue Saturation and Syncer Poisoning.","kind":"cve"}],"fidelity":"lab","primitive_id":"zebra_block_discovery_dos"}],"mechanism":"CVE-2024-52922: cmpctblock announce then stall (never answer getblocktxn) → ~10min delayed propagation","name":"single-peer-block-discovery-stall","provenance_note":"imported from nr_registry cluster 'single-peer-block-discovery-stall'","status":"active"},{"display_name":"Slashing Implementation Crash","external_references":[{"id":"GHREL-near-nearcore-1.30.1","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0276","instances":[],"mechanism":"Slashing Implementation Crash","name":"slashing-implementation-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'slashing-implementation-crash')","status":"active"},{"display_name":"Snapshot Chunk Oversized OOM","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v2.2.2","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v2.2.2-testnet","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.4.19","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0277","instances":[],"mechanism":"Snapshot Chunk Oversized OOM","name":"snapshot-chunk-oversized-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'snapshot-chunk-oversized-oom')","status":"active"},{"display_name":"Snapshot File Parsing Crash","external_references":[{"id":"GHPR-solana-labs-solana-7464","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0278","instances":[],"mechanism":"Snapshot File Parsing Crash","name":"snapshot-file-parsing-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'snapshot-file-parsing-crash')","status":"active"},{"display_name":"SOCKS Proxy Remote Code Execution","external_references":[{"id":"CVE-2017-18350","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2017-18350"}],"family":"network-rpc","first_seen":"2017-01-01","id":"NRDAX-T0279","instances":[],"mechanism":"SOCKS Proxy Remote Code Execution","name":"socks-proxy-remote-code-execution","provenance_note":"known-but-not-reproduced coverage gap (technique 'socks-proxy-remote-code-execution')","status":"active"},{"display_name":"Spoofed Endpoint-Proof Bypass Amplification","external_references":[],"family":"memory_amp","first_seen":"2026-07-11","id":"NRDAX-T0280","instances":[{"bundle_ref":"discv4_findnode_amplification","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"NethermindEth/nethermind#12211 — 'Resolve some discovery dos vectors (which hive revealed)': discv4 (UDP node-discovery) DoS mitigation — endpoint-proof bonding tied to the exact UDP IP:port before honouring FINDNODE, plus a 50/50 request/response rate-limit split so NEIGHBORS response bursts can't starve legitimate queries. https://github.com/NethermindEth/nethermind/pull/12211","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"discv4_findnode_amplification"}],"mechanism":"discv4 FINDNODE->NEIGHBORS reflection/amplification (NethermindEth/nethermind#12211): discv4 is Ethereum's connectionless-UDP node-discovery protocol. A ~170 B FINDNODE (packet-type 0x03) makes the no","name":"spoofed-endpoint-proof-bypass-amplification","provenance_note":"imported from nr_registry cluster 'spoofed-endpoint-proof-bypass-amplification'","status":"active"},{"display_name":"SSH Password Authentication Exposure","external_references":[],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0281","instances":[],"mechanism":"SSH Password Authentication Exposure","name":"ssh-password-authentication-exposure","provenance_note":"known-but-not-reproduced coverage gap (technique 'ssh-password-authentication-exposure')","status":"active"},{"display_name":"Staking Slashing Evasion","external_references":[{"id":"GHSA-86h5-xcpx-cfqc","kind":"ghsa","url":"https://github.com/advisories/GHSA-86h5-xcpx-cfqc"},{"id":"GHSA-r47q-464x-wx5x","kind":"ghsa","url":"https://github.com/advisories/GHSA-r47q-464x-wx5x"}],"family":"economic-defi","first_seen":"2020-01-01","id":"NRDAX-T0282","instances":[],"mechanism":"Staking Slashing Evasion","name":"staking-slashing-evasion","provenance_note":"known-but-not-reproduced coverage gap (technique 'staking-slashing-evasion')","status":"active"},{"display_name":"Stale State Reuse Crash","external_references":[{"id":"GHPR-erigontech-erigon-22344","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0283","instances":[],"mechanism":"Stale State Reuse Crash","name":"stale-state-reuse-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'stale-state-reuse-crash')","status":"active"},{"display_name":"State Archive Restore Corruption Crash","external_references":[{"id":"GHSA-mjfq-3qr2-6g84","kind":"ghsa","url":"https://github.com/advisories/GHSA-mjfq-3qr2-6g84"},{"id":"GHPR-stellar-stellar-core-4847","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0284","instances":[],"mechanism":"State Archive Restore Corruption Crash","name":"state-archive-restore-corruption-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'state-archive-restore-corruption-crash')","status":"active"},{"display_name":"State Channel Logic Flaw","external_references":[{"id":"CVE-2023-38701","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38701"},{"id":"CVE-2023-42448","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42448"},{"id":"CVE-2023-42449","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42449"}],"family":"economic-defi","first_seen":"2023-01-01","id":"NRDAX-T0285","instances":[],"mechanism":"State Channel Logic Flaw","name":"state-channel-logic-flaw","provenance_note":"known-but-not-reproduced coverage gap (technique 'state-channel-logic-flaw')","status":"active"},{"display_name":"State Channel Replay Attack","external_references":[{"id":"CVE-2023-42806","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42806"}],"family":"economic-defi","first_seen":"2023-01-01","id":"NRDAX-T0286","instances":[],"mechanism":"State Channel Replay Attack","name":"state-channel-replay-attack","provenance_note":"known-but-not-reproduced coverage gap (technique 'state-channel-replay-attack')","status":"active"},{"display_name":"State Simulation Copy Panic","external_references":[{"id":"GHSA-vmg2-r3xv-r3xf","kind":"ghsa","url":"https://github.com/advisories/GHSA-vmg2-r3xv-r3xf"},{"id":"GHPR-cosmos-ethermint-488","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0287","instances":[],"mechanism":"State Simulation Copy Panic","name":"state-simulation-copy-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'state-simulation-copy-panic')","status":"active"},{"display_name":"State Sync Proposer Priority Mismatch Chain Split","external_references":[{"id":"GHSA-g5xx-c4hv-9ccc","kind":"ghsa","url":"https://github.com/advisories/GHSA-g5xx-c4hv-9ccc"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0288","instances":[],"mechanism":"State Sync Proposer Priority Mismatch Chain Split","name":"state-sync-proposer-priority-mismatch-chain-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'state-sync-proposer-priority-mismatch-chain-split')","status":"active"},{"display_name":"Stream Abort Race Crash","external_references":[{"id":"GHPR-libp2p-js-libp2p-2225","kind":"vendor-advisory"},{"id":"GHPR-quic-go-quic-go-5037","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0289","instances":[],"mechanism":"Stream Abort Race Crash","name":"stream-abort-race-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'stream-abort-race-crash')","status":"active"},{"display_name":"Subscription Failure Panic Crash","external_references":[{"id":"GHPR-filecoin-project-go-f3-830","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0290","instances":[],"mechanism":"Subscription Failure Panic Crash","name":"subscription-failure-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'subscription-failure-panic-crash')","status":"active"},{"display_name":"Subscription Permit Exhaustion","external_references":[],"family":"connection_exhaustion","first_seen":"2026-07-03","id":"NRDAX-T0291","instances":[{"bundle_ref":"cosmos_subscribe_perconn_multiply","chain":"cosmos","discovery_origin":"original-research","external_references":[],"fidelity":"lab","primitive_id":"cosmos_subscribe_perconn_multiply"},{"bundle_ref":"sui_p01_p06_subscribe_filter_exhaustion","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"https://github.com/MystenLabs/sui/blob/main/crates/sui-json-rpc/src/indexer_api.rs","kind":"vendor-advisory","url":"https://github.com/MystenLabs/sui/blob/main/crates/sui-json-rpc/src/indexer_api.rs"}],"fidelity":"lab","primitive_id":"sui_p01_p06_subscribe_filter_exhaustion"},{"bundle_ref":"sui_subscription_permit_leak","chain":"sui","discovery_origin":"original-research","external_references":[],"fidelity":"lab","primitive_id":"sui_subscription_permit_leak"}],"mechanism":"C04 (COSMOS_SUBSCRIBE_PERCONN_CAP): CometBFT rpc/core/events.go:27 caps NumClients>=MaxSubscriptionClients(100) but clientID=RemoteAddr(ip:PORT) → each TCP conn gets an independent per-client cap → su","name":"subscription-permit-exhaustion","provenance_note":"imported from nr_registry cluster 'subscription-permit-exhaustion'","status":"active"},{"display_name":"Sync Height Manipulation Stall","external_references":[],"family":"memory_amp","first_seen":"2026-07-09","id":"NRDAX-T0292","instances":[{"bundle_ref":"cometbft_blocksync_height_decrease_stuck","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2025-24371","kind":"cve"}],"fidelity":"lab","primitive_id":"cometbft_blocksync_height_decrease_stuck"}],"mechanism":"CVE-2025-24371 (ASA-2025-001 / GHSA-22qq-3xwm-r5x4): a malicious CometBFT blocksync peer disrupts a node's ability to sync. In blocksync a peer reports its base/latest heights in a StatusResponse; the","name":"sync-height-manipulation-stall","provenance_note":"imported from nr_registry cluster 'sync-height-manipulation-stall'","status":"active"},{"display_name":"Sync Request Loop OOM","external_references":[{"id":"GHPR-ChainSafe-lodestar-9501","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v1.1.2","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v1.1.2-testnet","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.0.14","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.16","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.1.2","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0293","instances":[],"mechanism":"Sync Request Loop OOM","name":"sync-request-loop-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'sync-request-loop-oom')","status":"active"},{"display_name":"Sync State Deadlock Crash","external_references":[{"id":"GHPR-starkware-libs-sequencer-14750","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0294","instances":[],"mechanism":"Sync State Deadlock Crash","name":"sync-state-deadlock-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'sync-state-deadlock-crash')","status":"active"},{"display_name":"Sync-State Poisoning Via Fake Blocks","external_references":[{"id":"CVE-2024-52921","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52921"},{"id":"CVE-2025-24371","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-24371"},{"id":"CVE-2026-52736","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52736"},{"id":"CVE-2026-52737","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-52737"},{"id":"GHSA-r3r4-g7hq-pq4f","kind":"ghsa","url":"https://github.com/advisories/GHSA-r3r4-g7hq-pq4f"},{"id":"GHSA-rpcw-q5mr-gq35","kind":"ghsa","url":"https://github.com/advisories/GHSA-rpcw-q5mr-gq35"},{"id":"GHPR-cometbft-cometbft-5803","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.18.1","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.18.1-rc.3","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.22.0-rc.3","kind":"vendor-advisory"}],"family":"gossip_abuse","first_seen":"2024-01-01","id":"NRDAX-T0295","instances":[{"bundle_ref":"zebra_sync_restart_poisoning","chain":"zcash","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2026-52737 / GHSA-gvjc-3w7c-92jx — https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-gvjc-3w7c-92jx","kind":"cve"}],"fidelity":"lab","primitive_id":"zebra_sync_restart_poisoning"}],"mechanism":"CVE-2026-52737 (GHSA-gvjc-3w7c-92jx): a single unauthenticated Zcash P2P peer answers the syncing node's getblocks/FindBlocks with a two-hash inv, then serves a `block` whose coinbase height is above ","name":"sync-state-poisoning-via-fake-blocks","provenance_note":"imported from nr_registry cluster 'sync-state-poisoning-via-fake-blocks'","status":"active"},{"display_name":"Template Injection RCE","external_references":[{"id":"CVE-2022-42889","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42889"}],"family":"supply-chain","first_seen":"2022-01-01","id":"NRDAX-T0296","instances":[],"mechanism":"Template Injection RCE","name":"template-injection-rce","provenance_note":"known-but-not-reproduced coverage gap (technique 'template-injection-rce')","status":"active"},{"display_name":"Timejacking Via Version Message","external_references":[{"id":"SLOWMIST-TIMEJACKING","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0297","instances":[],"mechanism":"Timejacking Via Version Message","name":"timejacking-via-version-message","provenance_note":"known-but-not-reproduced coverage gap (technique 'timejacking-via-version-message')","status":"active"},{"display_name":"Timestamp Integer Overflow Netsplit","external_references":[{"id":"CVE-2024-52912","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52912"}],"family":"consensus_abuse","first_seen":"2024-01-01","id":"NRDAX-T0298","instances":[{"bundle_ref":"btc_version_timestamp_overflow","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose-timestamp-overflow/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose-timestamp-overflow/"}],"fidelity":"lab","primitive_id":"btc_version_timestamp_overflow"}],"mechanism":"CVE-2024-52912: version nTime=INT64_MIN → abs64 overflow skews adjusted-network-time → netsplit","name":"timestamp-integer-overflow-netsplit","provenance_note":"imported from nr_registry cluster 'timestamp-integer-overflow-netsplit'","status":"active"},{"display_name":"Timestamp Validation Panic Crash","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v2.0.3-testnet","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0299","instances":[],"mechanism":"Timestamp Validation Panic Crash","name":"timestamp-validation-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'timestamp-validation-panic-crash')","status":"active"},{"display_name":"Timing Side-Channel Deanonymization","external_references":[{"id":"CVE-2020-8807","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8807"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0300","instances":[],"mechanism":"Timing Side-Channel Deanonymization","name":"timing-side-channel-deanonymization","provenance_note":"known-but-not-reproduced coverage gap (technique 'timing-side-channel-deanonymization')","status":"active"},{"display_name":"TLS Certificate Parsing Crash","external_references":[{"id":"CVE-2025-61727","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61727"}],"family":"network-p2p","first_seen":"2025-01-01","id":"NRDAX-T0301","instances":[],"mechanism":"TLS Certificate Parsing Crash","name":"tls-certificate-parsing-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'tls-certificate-parsing-crash')","status":"active"},{"display_name":"TLS Handshake Fragmentation Panic","external_references":[{"id":"GHPR-matter-labs-zksync-era-3331","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0302","instances":[],"mechanism":"TLS Handshake Fragmentation Panic","name":"tls-handshake-fragmentation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'tls-handshake-fragmentation-panic')","status":"active"},{"display_name":"TLS Handshake MITM Injection","external_references":[{"id":"CVE-2014-0224","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2014-0224"}],"family":"crypto","first_seen":"2014-01-01","id":"NRDAX-T0303","instances":[],"mechanism":"TLS Handshake MITM Injection","name":"tls-handshake-mitm-injection","provenance_note":"known-but-not-reproduced coverage gap (technique 'tls-handshake-mitm-injection')","status":"active"},{"display_name":"TLS Renegotiation Crash","external_references":[{"id":"CVE-2021-3499","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3499"}],"family":"network-p2p","first_seen":"2021-01-01","id":"NRDAX-T0304","instances":[],"mechanism":"TLS Renegotiation Crash","name":"tls-renegotiation-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'tls-renegotiation-crash')","status":"active"},{"display_name":"TLS SNI mTLS Bypass","external_references":[{"id":"CVE-2026-53622","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53622"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0305","instances":[],"mechanism":"TLS SNI mTLS Bypass","name":"tls-sni-mtls-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'tls-sni-mtls-bypass')","status":"active"},{"display_name":"Token Supply Inflation Bug","external_references":[{"id":"CVE-2024-32644","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32644"},{"id":"CVE-2024-37153","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37153"}],"family":"economic-defi","first_seen":"2024-01-01","id":"NRDAX-T0306","instances":[],"mechanism":"Token Supply Inflation Bug","name":"token-supply-inflation-bug","provenance_note":"known-but-not-reproduced coverage gap (technique 'token-supply-inflation-bug')","status":"active"},{"display_name":"Transaction Malleability","external_references":[],"family":"consensus_abuse","first_seen":"2026-07-09","id":"NRDAX-T0307","instances":[{"bundle_ref":"tx_malleability_txid_mutate","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md","kind":"vendor-advisory","url":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md"}],"fidelity":"lab","primitive_id":"tx_malleability_txid_mutate"}],"mechanism":"Transaction Malleability (SlowMist Blockchain Common Vulnerability List): a tx and a malleated sibling with a byte-different scriptSig (extra OP_NOP) → different txid, identical inputs/outputs/effect;","name":"transaction-malleability","provenance_note":"imported from nr_registry cluster 'transaction-malleability'","status":"active"},{"display_name":"Transaction History Storage Exhaustion","external_references":[{"id":"GHREL-solana-labs-solana-v1.16.19","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v1.16.25","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0308","instances":[],"mechanism":"Transaction History Storage Exhaustion","name":"tx-history-storage-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'tx-history-storage-exhaustion')","status":"active"},{"display_name":"Tx History Storage Flood Disk Exhaustion","external_references":[{"id":"GHREL-solana-labs-solana-v1.16.20","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0309","instances":[],"mechanism":"Tx History Storage Flood Disk Exhaustion","name":"tx-history-storage-flood-disk-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'tx-history-storage-flood-disk-exhaustion')","status":"active"},{"display_name":"Tx Malleability Non-Consensus","external_references":[{"id":"SLOWMIST-TX-MALLEABILITY","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0310","instances":[],"mechanism":"Tx Malleability Non-Consensus","name":"tx-malleability-non-consensus","provenance_note":"known-but-not-reproduced coverage gap (technique 'tx-malleability-non-consensus')","status":"active"},{"display_name":"Transaction Relay Suppression","external_references":[{"id":"CVE-2024-52913","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-52913"}],"family":"ledger-tx","first_seen":"2024-01-01","id":"NRDAX-T0311","instances":[],"mechanism":"Transaction Relay Suppression","name":"tx-relay-suppression","provenance_note":"known-but-not-reproduced coverage gap (technique 'tx-relay-suppression')","status":"active"},{"display_name":"Tx-Relay Throughput Jamming","external_references":[],"family":"gossip_abuse","first_seen":"2026-07-01","id":"NRDAX-T0312","instances":[{"bundle_ref":"bitcoin_tx_relay_jamming","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2024-55563","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55563"}],"fidelity":"lab","primitive_id":"bitcoin_tx_relay_jamming"},{"bundle_ref":"btc_inv_eviction_jam","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose_already_asked_for/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose_already_asked_for/"}],"fidelity":"lab","primitive_id":"btc_inv_eviction_jam"}],"mechanism":"CVE-2024-55563 (Bitcoin Core <= 27.2): transaction-relay jamming via an off-chain protocol attack ('Transaction-Relay Throughput Overflow Attacks against Off-Chain Protocols'; related to CVE-2024-5291","name":"tx-relay-throughput-jamming","provenance_note":"imported from nr_registry cluster 'tx-relay-throughput-jamming'","status":"active"},{"display_name":"Transaction Validation Logic Consensus Split","external_references":[{"id":"CVE-2024-34478","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34478"},{"id":"CVE-2024-38365","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-38365"},{"id":"CVE-2026-34377","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34377"},{"id":"CVE-2026-40880","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40880"},{"id":"CVE-2026-41583","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41583"},{"id":"CVE-2026-44497","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44497"},{"id":"GHSA-wm9c-xvqq-5c28","kind":"ghsa","url":"https://github.com/advisories/GHSA-wm9c-xvqq-5c28"},{"id":"GHPR-cosmos-ethermint-334","kind":"vendor-advisory"},{"id":"GHPR-grandinetech-grandine-654","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2024-01-01","id":"NRDAX-T0313","instances":[],"mechanism":"Transaction Validation Logic Consensus Split","name":"tx-validation-logic-consensus-split","provenance_note":"known-but-not-reproduced coverage gap (technique 'tx-validation-logic-consensus-split')","status":"active"},{"display_name":"TxPool Crafted Transaction Crash","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v0.4.0","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v0.12.2","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0314","instances":[],"mechanism":"TxPool Crafted Transaction Crash","name":"txpool-crafted-transaction-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'txpool-crafted-transaction-crash')","status":"active"},{"display_name":"TxPool Message Flood OOM","external_references":[{"id":"GHREL-Conflux-Chain-conflux-rust-v1.1.2-testnet-fix","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0315","instances":[],"mechanism":"TxPool Message Flood OOM","name":"txpool-message-flood-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'txpool-message-flood-oom')","status":"active"},{"display_name":"Unaligned Memory Access Crash","external_references":[{"id":"GHPR-monero-project-monero-10623","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0316","instances":[],"mechanism":"Unaligned Memory Access Crash","name":"unaligned-memory-access-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'unaligned-memory-access-crash')","status":"active"},{"display_name":"Unauthenticated Admin Interface Exposure","external_references":[{"id":"CVE-2018-20587","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20587"},{"id":"SLOWMIST-BLACK-VALENTINE","kind":"vendor-advisory"}],"family":"auth_bypass","first_seen":"2018-01-01","id":"NRDAX-T0317","instances":[{"bundle_ref":"geth_rpc_unlocked_wallet_drain","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md","kind":"vendor-advisory","url":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md"}],"fidelity":"lab","primitive_id":"geth_rpc_unlocked_wallet_drain"},{"bundle_ref":"sui_h01_admin_no_auth_probe","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"https://github.com/MystenLabs/sui/blob/main/crates/sui-node/src/admin.rs","kind":"vendor-advisory","url":"https://github.com/MystenLabs/sui/blob/main/crates/sui-node/src/admin.rs"}],"fidelity":"lab","primitive_id":"sui_h01_admin_no_auth_probe"}],"mechanism":"Black Valentine (SlowMist Blockchain Common Vulnerability List): geth --http with the personal namespace exposed + an unlocked/unlockable account → remote unauthenticated personal_unlockAccount then e","name":"unauthenticated-admin-interface-exposure","provenance_note":"imported from nr_registry cluster 'unauthenticated-admin-interface-exposure'","status":"active"},{"display_name":"Unauthenticated RPC Command Execution","external_references":[{"id":"CVE-2026-55786","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55786"},{"id":"GHSA-fc26-m9pf-v56q","kind":"ghsa","url":"https://github.com/advisories/GHSA-fc26-m9pf-v56q"},{"id":"GHSA-j4f3-55x4-r6q2","kind":"ghsa","url":"https://github.com/advisories/GHSA-j4f3-55x4-r6q2"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0318","instances":[],"mechanism":"Unauthenticated RPC Command Execution","name":"unauthenticated-rpc-command-execution","provenance_note":"known-but-not-reproduced coverage gap (technique 'unauthenticated-rpc-command-execution')","status":"active"},{"display_name":"Unbounded Alert Map OOM","external_references":[{"id":"CVE-2016-10724","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10724"}],"family":"network-p2p","first_seen":"2016-01-01","id":"NRDAX-T0319","instances":[],"mechanism":"Unbounded Alert Map OOM","name":"unbounded-alert-map-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-alert-map-oom')","status":"active"},{"display_name":"Unbounded Connection Flood","external_references":[{"id":"CVE-2020-5303","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-5303"},{"id":"GHREL-solana-labs-solana-v1.3.20","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2020-01-01","id":"NRDAX-T0320","instances":[{"bundle_ref":"cosmos_p2p_conn_flood","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6","kind":"ghsa","url":"https://github.com/tendermint/tendermint/security/advisories/GHSA-v24h-pjjv-mcp6"}],"fidelity":"lab","primitive_id":"cosmos_p2p_conn_flood"},{"bundle_ref":"geth_tcp_handshake_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://reports.immunefi.com/ethereum-protocol-or-attackathon/37120-bc-insight-remote-handshake-based-tcp-30303-flooding-leads-to-an-out-of-memory-crash","kind":"vendor-advisory","url":"https://reports.immunefi.com/ethereum-protocol-or-attackathon/37120-bc-insight-remote-handshake-based-tcp-30303-flooding-leads-to-an-out-of-memory-crash"}],"fidelity":"lab","primitive_id":"geth_tcp_handshake_flood"},{"bundle_ref":"libp2p_conn_resource_exhaustion","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv","kind":"ghsa","url":"https://github.com/libp2p/js-libp2p/security/advisories/GHSA-f44q-634c-jvwv"}],"fidelity":"lab","primitive_id":"libp2p_conn_resource_exhaustion"},{"bundle_ref":"monero_rpc_conn_exhaustion","chain":"monero","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2025-26819","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26819"}],"fidelity":"lab","primitive_id":"monero_rpc_conn_exhaustion"},{"bundle_ref":"dnsdist_doq_concurrent_conn_exhaustion","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"lab","primitive_id":"dnsdist_doq_concurrent_conn_exhaustion"},{"bundle_ref":"firedancer_metrics_flood_crash","chain":"solana","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/firedancer-io/firedancer/releases/tag/v0.106.11814 — Firedancer v0.106.11814 (Testnet) Bug Fixes: \"Fixed an issue where a connection flood to the metrics server could crash the validator.\" Firedancer's fd_metrics tile serves Prometheus-compatible metrics over HTTP (default 127.0.0.1:7999/metrics; listen address operator-configurable / internet-exposable per the Firedancer bug-bounty guidance). A remote inbound TCP connection flood to the metrics port could crash the whole validator prior to this fix.","kind":"vendor-advisory","url":"https://github.com/firedancer-io/firedancer/releases/tag/v0.106.11814 — Firedancer v0.106.11814 (Testnet) Bug Fixes: \"Fixed an issue where a connection flood to the metrics server could crash the validator.\" Firedancer's fd_metrics tile serves Prometheus-compatible metrics over HTTP (default 127.0.0.1:7999/metrics; listen address operator-configurable / internet-exposable per the Firedancer bug-bounty guidance). A remote inbound TCP connection flood to the metrics port could crash the whole validator prior to this fix."}],"fidelity":"lab","primitive_id":"firedancer_metrics_flood_crash"}],"mechanism":"CVE-2020-5303 (Lavender): unlimited CometBFT P2P connection requests → OOM + activeIDs-map saturation","name":"unbounded-connection-flood","provenance_note":"imported from nr_registry cluster 'unbounded-connection-flood'","status":"active"},{"display_name":"Unbounded Connection ID Storage","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0321","instances":[{"bundle_ref":"quic_conn_id_memory_exhaustion","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2024-22189 / GHSA-c33x-xqrf-c478 — quic-go < 0.42.0: 'QUIC's Connection ID Mechanism vulnerable to Memory Exhaustion Attack'. https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478","kind":"cve"}],"fidelity":"lab","primitive_id":"quic_conn_id_memory_exhaustion"},{"bundle_ref":"quiche_conn_id_retirement_unbounded","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2024-1410 / GHSA-xhg9-xwch-vr7x — Cloudflare quiche (< 0.19.2; >= 0.20.0, < 0.20.1): 'quiche vulnerable to unbounded storage of information related to connection ID retirement'. https://github.com/advisories/GHSA-xhg9-xwch-vr7x","kind":"cve"}],"fidelity":"lab","primitive_id":"quiche_conn_id_retirement_unbounded"}],"mechanism":"quic-go connection-ID memory exhaustion (CVE-2024-22189, GHSA-c33x-xqrf-c478): on an established QUIC connection the attacker floods NEW_CONNECTION_ID frames (type 0x18) with an escalating 'Retire Pri","name":"unbounded-connection-id-storage","provenance_note":"imported from nr_registry cluster 'unbounded-connection-id-storage'","status":"active"},{"display_name":"Unbounded Deserialisation OOM","external_references":[{"id":"CVE-2026-40881","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40881"},{"id":"CVE-2026-44500","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44500"},{"id":"GHSA-8wcc-m6j2-qxvm","kind":"ghsa","url":"https://github.com/advisories/GHSA-8wcc-m6j2-qxvm"},{"id":"GHPR-bnb-chain-bsc-3590","kind":"vendor-advisory"},{"id":"GHPR-ethereum-go-ethereum-35181","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-testnet-v1.74.1","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.17.1.8","kind":"vendor-advisory"},{"id":"GHREL-monero-project-monero-v0.17.1.9","kind":"vendor-advisory"},{"id":"GHREL-near-nearcore-1.22.0-rc.2","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0322","instances":[],"mechanism":"Unbounded Deserialisation OOM","name":"unbounded-deserialisation-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-deserialisation-oom')","status":"active"},{"display_name":"Unbounded Filter Subscription Storage Exhaustion","external_references":[{"id":"GHREL-Fantom-foundation-go-opera-v1.1.3-rc.4","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0323","instances":[],"mechanism":"Unbounded Filter Subscription Storage Exhaustion","name":"unbounded-filter-subscription-storage-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-filter-subscription-storage-exhaustion')","status":"active"},{"display_name":"Unbounded Log Range Scan Amplification","external_references":[{"id":"GHSA-68fc-7mhg-6f6c","kind":"ghsa","url":"https://github.com/advisories/GHSA-68fc-7mhg-6f6c"},{"id":"GHREL-Fantom-foundation-go-opera-v1.0.2-rc.5","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0324","instances":[],"mechanism":"Unbounded Log Range Scan Amplification","name":"unbounded-log-range-scan-amplification","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-log-range-scan-amplification')","status":"active"},{"display_name":"Unbounded Message Loop Halt","external_references":[{"id":"GHSA-v6rw-hhgg-wc4x","kind":"ghsa","url":"https://github.com/advisories/GHSA-v6rw-hhgg-wc4x"},{"id":"GHSA-w6rp-vxj2-fjhr","kind":"ghsa","url":"https://github.com/advisories/GHSA-w6rp-vxj2-fjhr"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0325","instances":[],"mechanism":"Unbounded Message Loop Halt","name":"unbounded-message-loop-halt","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-message-loop-halt')","status":"active"},{"display_name":"Unbounded Peer-Slot Sybil","external_references":[{"id":"SLOWMIST-SYBIL","kind":"vendor-advisory"}],"family":"gossip_abuse","first_seen":"2026-07-09","id":"NRDAX-T0326","instances":[{"bundle_ref":"sybil_peer_identity_flood","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md","kind":"vendor-advisory","url":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md"}],"fidelity":"lab","primitive_id":"sybil_peer_identity_flood"},{"bundle_ref":"geth_sybil_identity_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md","kind":"vendor-advisory","url":"https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md"}],"fidelity":"lab","primitive_id":"geth_sybil_identity_flood"}],"mechanism":"Sybil (SlowMist Blockchain Common Vulnerability List): a flood of full RLPx+eth-handshake peers each with a DISTINCT node identity occupies the target's inbound peer slots and biases peer selection (e","name":"unbounded-peer-slot-sybil","provenance_note":"imported from nr_registry cluster 'unbounded-peer-slot-sybil'","status":"active"},{"display_name":"Unbounded Registration Storage Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0327","instances":[{"bundle_ref":"libp2p_rendezvous_cookie_exhaustion","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-v5hw-cv9c-rpg7","kind":"ghsa","url":"https://github.com/advisories/GHSA-v5hw-cv9c-rpg7"}],"fidelity":"lab","primitive_id":"libp2p_rendezvous_cookie_exhaustion"},{"bundle_ref":"libp2p_rendezvous_namespace_oom","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-cqfx-gf56-8x59","kind":"ghsa","url":"https://github.com/advisories/GHSA-cqfx-gf56-8x59"}],"fidelity":"lab","primitive_id":"libp2p_rendezvous_namespace_oom"}],"mechanism":"CVE-2026-35457 (GHSA-v5hw-cv9c-rpg7): libp2p-rendezvous server stores DISCOVER pagination cookies in an unbounded in-memory map (Registrations::cookies) with no size cap / eviction / expiry — a flood ","name":"unbounded-registration-storage-exhaustion","provenance_note":"imported from nr_registry cluster 'unbounded-registration-storage-exhaustion'","status":"active"},{"display_name":"Unbounded Request Body Memory Exhaustion","external_references":[{"id":"GHPR-monero-project-monero-10139","kind":"vendor-advisory"},{"id":"GHPR-tronprotocol-java-tron-6658","kind":"vendor-advisory"},{"id":"GHPR-tronprotocol-java-tron-6728","kind":"vendor-advisory"}],"family":"compute_amp","first_seen":"2026-07-07","id":"NRDAX-T0328","instances":[{"bundle_ref":"cardano_submit_api_body_memory_pin","chain":"cardano","discovery_origin":"original-research","external_references":[{"id":"https://github.com/IntersectMBO/cardano-node/blob/master/cardano-submit-api/src/Cardano/TxSubmit/Rest/Types.hs","kind":"vendor-advisory","url":"https://github.com/IntersectMBO/cardano-node/blob/master/cardano-submit-api/src/Cardano/TxSubmit/Rest/Types.hs"}],"fidelity":"lab","primitive_id":"cardano_submit_api_body_memory_pin"},{"bundle_ref":"prysm_attester_slashing_pubkey_burn","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"chains/ethereum/findings/PRYSM_ATTESTER_SLASHING_PUBKEY_BURN/README.md","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"prysm_attester_slashing_pubkey_burn"},{"bundle_ref":"prysm_bls_exec_change_decode_burn","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"chains/ethereum/findings/PRYSM_BLS_EXEC_CHANGE_DECODE_BURN/README.md","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"prysm_bls_exec_change_decode_burn"},{"bundle_ref":"prysm_bls_pool_decode_burn","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"chains/ethereum/findings/PRYSM_BLS_POOL_DECODE_BURN/README.md","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"prysm_bls_pool_decode_burn"},{"bundle_ref":"reth_pooledtx_decode_memory_amp","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"https://github.com/paradigmxyz/reth/pull/23718","kind":"vendor-advisory","url":"https://github.com/paradigmxyz/reth/pull/23718"}],"fidelity":"lab","primitive_id":"reth_pooledtx_decode_memory_amp"},{"bundle_ref":"ic_orchestrator_cup_body_bomb","chain":"ic","discovery_origin":"original-research","external_references":[{"id":"dfinity/ic rs/orchestrator/src/catch_up_package_provider.rs:343-372 (timeout(self.backoff, res.into_body().collect()) — no http_body_util::Limited byte cap; secondary site rs/canister_client/src/http_client.rs:302)","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"ic_orchestrator_cup_body_bomb"}],"mechanism":"PRYSM_ATTESTER_SLASHING_PUBKEY_BURN (S4): POST /eth/v1/beacon/pool/attester_slashings_v2 decodes one AttesterSlashingElectra whose attesting_indices vector is capped only at the structural MaxValidato","name":"unbounded-request-body-memory-exhaustion","provenance_note":"imported from nr_registry cluster 'unbounded-request-body-memory-exhaustion'","status":"active"},{"display_name":"Unbounded RPC Response Amplification","external_references":[{"id":"CVE-2025-26819","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-26819"},{"id":"GHPR-matter-labs-zksync-era-4860","kind":"vendor-advisory"}],"family":"response_amp","first_seen":"2025-01-01","id":"NRDAX-T0329","instances":[{"bundle_ref":"aptos_f10_modules_amp","chain":"aptos","discovery_origin":"original-research","external_references":[{"id":"https://aptos.dev/en/build/apis/fullnode-rest-api","kind":"vendor-advisory","url":"https://aptos.dev/en/build/apis/fullnode-rest-api"}],"fidelity":"lab","primitive_id":"aptos_f10_modules_amp"},{"bundle_ref":"eth_getlogs_response_amp","chain":"ethereum","discovery_origin":"original-research","external_references":[{"id":"https://geth.ethereum.org/docs/interacting-with-geth/rpc","kind":"vendor-advisory","url":"https://geth.ethereum.org/docs/interacting-with-geth/rpc"}],"fidelity":"lab","primitive_id":"eth_getlogs_response_amp"},{"bundle_ref":"geth_eth_receipt_flood","chain":"ethereum","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://reports.immunefi.com/ethereum-protocol-or-attackathon/37466-bc-medium-evil-client-oom-crash-fast-p2p-crash","kind":"vendor-advisory","url":"https://reports.immunefi.com/ethereum-protocol-or-attackathon/37466-bc-medium-evil-client-oom-crash-fast-p2p-crash"}],"fidelity":"lab","primitive_id":"geth_eth_receipt_flood"},{"bundle_ref":"iota_f10_grpc_batch_amp","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"https://docs.iota.org/references/iota-api (gRPC LedgerService GetObjects/GetTransactions; F10 response-amp class)","kind":"vendor-advisory","url":"https://docs.iota.org/references/iota-api (gRPC LedgerService GetObjects/GetTransactions; F10 response-amp class)"}],"fidelity":"lab","primitive_id":"iota_f10_grpc_batch_amp"},{"bundle_ref":"iota_f10_multiget_amp","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"https://docs.iota.org/references/iota-api/iota/method/iota_multiGetObjects","kind":"vendor-advisory","url":"https://docs.iota.org/references/iota-api/iota/method/iota_multiGetObjects"}],"fidelity":"lab","primitive_id":"iota_f10_multiget_amp"},{"bundle_ref":"SOL_F10_multi_get_accounts_amp","chain":"solana","discovery_origin":"original-research","external_references":[],"fidelity":"lab","primitive_id":"SOL_F10_multi_get_accounts_amp"},{"bundle_ref":"sol_getsigs_response_amp","chain":"solana","discovery_origin":"original-research","external_references":[{"id":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md","kind":"vendor-advisory","url":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md"}],"fidelity":"lab","primitive_id":"sol_getsigs_response_amp"},{"bundle_ref":"sol_gpa_response_amp","chain":"solana","discovery_origin":"original-research","external_references":[{"id":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md","kind":"vendor-advisory","url":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md"}],"fidelity":"lab","primitive_id":"sol_gpa_response_amp"},{"bundle_ref":"sui_f10_multiget_response_amp","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"https://github.com/MystenLabs/sui/blob/main/docs/content/references/sui-api.mdx","kind":"vendor-advisory","url":"https://github.com/MystenLabs/sui/blob/main/docs/content/references/sui-api.mdx"}],"fidelity":"lab","primitive_id":"sui_f10_multiget_response_amp"},{"bundle_ref":"sui_p05_multiget_txblocks_amp","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"https://github.com/MystenLabs/sui/blob/main/docs/content/references/sui-api.mdx","kind":"vendor-advisory","url":"https://github.com/MystenLabs/sui/blob/main/docs/content/references/sui-api.mdx"}],"fidelity":"lab","primitive_id":"sui_p05_multiget_txblocks_amp"},{"bundle_ref":"rippled_batch_response_amp","chain":"xrp","discovery_origin":"original-research","external_references":[{"id":"https://github.com/XRPLF/rippled/blob/develop/src/xrpld/rpc/detail/ServerHandler.cpp","kind":"vendor-advisory","url":"https://github.com/XRPLF/rippled/blob/develop/src/xrpld/rpc/detail/ServerHandler.cpp"}],"fidelity":"lab","primitive_id":"rippled_batch_response_amp"},{"bundle_ref":"zcash_zebra_getaddresstxids_response_amp","chain":"zcash","discovery_origin":"original-research","external_references":[{"id":"https://zcash.github.io/rpc/getaddressutxos.html (unpaginated list RPC; F10 response-amp class)","kind":"vendor-advisory","url":"https://zcash.github.io/rpc/getaddressutxos.html (unpaginated list RPC; F10 response-amp class)"}],"fidelity":"lab","primitive_id":"zcash_zebra_getaddresstxids_response_amp"},{"bundle_ref":"zcash_zebra_getaddressutxos_response_amp","chain":"zcash","discovery_origin":"original-research","external_references":[{"id":"https://zcash.github.io/rpc/getaddressutxos.html (unpaginated list RPC; F10 response-amp class)","kind":"vendor-advisory","url":"https://zcash.github.io/rpc/getaddressutxos.html (unpaginated list RPC; F10 response-amp class)"}],"fidelity":"lab","primitive_id":"zcash_zebra_getaddressutxos_response_amp"},{"bundle_ref":"zcash_zebra_getblocktemplate_response_amp","chain":"zcash","discovery_origin":"original-research","external_references":[{"id":"zebra-rpc getrawmempool/getblocktemplate (uncapped whole-mempool serialisation; F10 response-amp)","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"zcash_zebra_getblocktemplate_response_amp"},{"bundle_ref":"zcash_zebra_getrawmempool_verbose_response_amp","chain":"zcash","discovery_origin":"original-research","external_references":[{"id":"zebra-rpc getrawmempool/getblocktemplate (uncapped whole-mempool serialisation; F10 response-amp)","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"zcash_zebra_getrawmempool_verbose_response_amp"}],"mechanism":"The node's JSON-RPC handler for batched account-lookup calls (e.g. getMultipleAccounts) imposes no response-size accounting or cost weighting relative to request size, only a flat cap on key count. An attacker submits a small request (~4.8KB) listing well-known large program accounts (Token/BPFLoader2/BPFLoaderUpgradeable), whose ELF/program data stubs are echoed in full, driving a single request to a ~17.8MB response (3,708x amplification) and sustained ~830MB/s egress under parallel workers. The fix-class is response-size-aware rate limiting/cost accounting on batched read RPCs (weighting by bytes returned, not just item count), not a request-count cap.","name":"unbounded-rpc-response-amplification","provenance_note":"imported from nr_registry cluster 'unbounded-rpc-response-amplification'","status":"active"},{"display_name":"Unbounded Signature Verification CPU Exhaustion","external_references":[{"id":"GHPR-tronprotocol-java-tron-6820","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0330","instances":[],"mechanism":"Unbounded Signature Verification CPU Exhaustion","name":"unbounded-signature-verification-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-signature-verification-cpu-exhaustion')","status":"active"},{"display_name":"Unbounded Stream Backpressure OOM","external_references":[],"family":"connection_exhaustion","first_seen":"2026-07-01","id":"NRDAX-T0331","instances":[{"bundle_ref":"libp2p_stream_exhaustion","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-j7qp-mfxf-8xjw","kind":"ghsa","url":"https://github.com/advisories/GHSA-j7qp-mfxf-8xjw"}],"fidelity":"lab","primitive_id":"libp2p_stream_exhaustion"}],"mechanism":"CVE-2022-23492/CVE-2022-23486: libp2p stream/connection exhaustion (no backpressure) → OOM","name":"unbounded-stream-backpressure-oom","provenance_note":"imported from nr_registry cluster 'unbounded-stream-backpressure-oom'","status":"active"},{"display_name":"Unbounded Stream Resource Exhaustion","external_references":[{"id":"CVE-2022-23486","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23486"},{"id":"CVE-2022-23487","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23487"},{"id":"CVE-2022-23492","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23492"},{"id":"CVE-2025-54604","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54604"},{"id":"CVE-2025-54605","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54605"},{"id":"CVE-2026-35457","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35457"},{"id":"GHSA-475v-pq2g-fp9g","kind":"ghsa","url":"https://github.com/advisories/GHSA-475v-pq2g-fp9g"},{"id":"GHPR-near-nearcore-15982","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2022-01-01","id":"NRDAX-T0332","instances":[{"bundle_ref":"coredns_doq_stream_slowloris","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"coredns_doq_stream_slowloris"}],"mechanism":"Unbounded Stream Resource Exhaustion","name":"unbounded-stream-resource-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-stream-resource-exhaustion')","status":"active"},{"display_name":"Unbounded Subscription Flood","external_references":[{"id":"CVE-2026-46679","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46679"},{"id":"GHREL-prysmaticlabs-prysm-v7.1.7","kind":"vendor-advisory"}],"family":"connection_exhaustion","first_seen":"2026-01-01","id":"NRDAX-T0333","instances":[{"bundle_ref":"iota_graphql_s1_unbounded_subs","chain":"iota","discovery_origin":"original-research","external_references":[{"id":"iota-graphql-rpc subscription_handler/GraphQLWebSocket (no sub cap); IOTA ownership doc S1","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"iota_graphql_s1_unbounded_subs"},{"bundle_ref":"gossipsub_subscribe_flood","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-4f8r-922h-2vgv","kind":"ghsa","url":"https://github.com/advisories/GHSA-4f8r-922h-2vgv"}],"fidelity":"lab","primitive_id":"gossipsub_subscribe_flood"}],"mechanism":"NullRabbit source-traced IOTA GraphQL unbounded-subscription flood (operator-gated).","name":"unbounded-subscription-flood","provenance_note":"imported from nr_registry cluster 'unbounded-subscription-flood'","status":"active"},{"display_name":"Unbounded Task Spawn Resource Exhaustion","external_references":[{"id":"GHPR-starkware-libs-sequencer-14579","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0334","instances":[],"mechanism":"Unbounded Task Spawn Resource Exhaustion","name":"unbounded-task-spawn-resource-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'unbounded-task-spawn-resource-exhaustion')","status":"active"},{"display_name":"Unchecked Inherent Manipulation","external_references":[{"id":"CVE-2025-54427","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54427"}],"family":"consensus","first_seen":"2025-01-01","id":"NRDAX-T0335","instances":[],"mechanism":"Unchecked Inherent Manipulation","name":"unchecked-inherent-manipulation","provenance_note":"known-but-not-reproduced coverage gap (technique 'unchecked-inherent-manipulation')","status":"active"},{"display_name":"Unchecked Memory Write Panic","external_references":[{"id":"GHPR-anza-xyz-agave-6254","kind":"vendor-advisory"},{"id":"GHPR-firedancer-io-firedancer-10406","kind":"vendor-advisory"},{"id":"GHPR-jito-foundation-jito-solana-295","kind":"vendor-advisory"},{"id":"GHPR-stellar-rs-soroban-env-1173","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0336","instances":[],"mechanism":"Unchecked Memory Write Panic","name":"unchecked-memory-write-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'unchecked-memory-write-panic')","status":"active"},{"display_name":"Unexploitable Dependency Vulnerability","external_references":[{"id":"CVE-2018-1000120","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000120"},{"id":"CVE-2020-35910","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-35910"},{"id":"CVE-2021-28036","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28036"},{"id":"CVE-2022-22968","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-22968"},{"id":"CVE-2023-32731","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-32731"},{"id":"CVE-2023-33953","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33953"},{"id":"CVE-2023-34462","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-34462"},{"id":"CVE-2023-39017","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39017"},{"id":"CVE-2023-46232","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46232"},{"id":"CVE-2023-4785","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-4785"},{"id":"CVE-2023-6378","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-6378"},{"id":"CVE-2024-27297","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27297"},{"id":"CVE-2024-27304","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-27304"},{"id":"CVE-2024-34704","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-34704"},{"id":"CVE-2024-42461","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42461"},{"id":"CVE-2024-45056","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45056"},{"id":"CVE-2024-47081","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47081"},{"id":"CVE-2025-12816","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-12816"},{"id":"CVE-2025-22150","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-22150"},{"id":"CVE-2025-31133","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-31133"},{"id":"CVE-2025-50181","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-50181"},{"id":"CVE-2025-5115","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-5115"},{"id":"CVE-2025-53000","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53000"},{"id":"CVE-2025-55298","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55298"},{"id":"CVE-2025-68146","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68146"},{"id":"CVE-2025-71176","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71176"},{"id":"CVE-2026-21441","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21441"},{"id":"CVE-2026-24049","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24049"},{"id":"CVE-2026-24051","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24051"},{"id":"CVE-2026-25645","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25645"},{"id":"CVE-2026-26014","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26014"},{"id":"CVE-2026-33671","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33671"},{"id":"CVE-2026-41907","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41907"},{"id":"GHSA-74p7-6h78-gw8p","kind":"ghsa","url":"https://github.com/advisories/GHSA-74p7-6h78-gw8p"},{"id":"GHSA-fr4h-3cph-29xv","kind":"ghsa","url":"https://github.com/advisories/GHSA-fr4h-3cph-29xv"},{"id":"GHSA-jv2h-4p9v-wf5w","kind":"ghsa","url":"https://github.com/advisories/GHSA-jv2h-4p9v-wf5w"},{"id":"GHSA-q7j3-v8qv-22vq","kind":"ghsa","url":"https://github.com/advisories/GHSA-q7j3-v8qv-22vq"},{"id":"GHSA-rc23-xxgq-x27g","kind":"ghsa","url":"https://github.com/advisories/GHSA-rc23-xxgq-x27g"},{"id":"GHPR-Conflux-Chain-conflux-rust-3567","kind":"vendor-advisory"},{"id":"GHPR-MystenLabs-sui-26948","kind":"vendor-advisory"},{"id":"GHPR-MystenLabs-sui-26968","kind":"vendor-advisory"},{"id":"GHPR-dogecoin-dogecoin-3357","kind":"vendor-advisory"},{"id":"GHPR-dogecoin-dogecoin-3415","kind":"vendor-advisory"},{"id":"GHPR-matter-labs-zksync-era-4881","kind":"vendor-advisory"},{"id":"GHPR-monero-project-monero-10213","kind":"vendor-advisory"},{"id":"GHPR-monero-project-monero-10738","kind":"vendor-advisory"},{"id":"GHPR-monero-project-monero-8929","kind":"vendor-advisory"},{"id":"GHPR-paradigmxyz-reth-21894","kind":"vendor-advisory"},{"id":"GHREL-IntersectMBO-cardano-node-8.11.0-pre","kind":"vendor-advisory"},{"id":"GHREL-IntersectMBO-cardano-node-8.9.3","kind":"vendor-advisory"},{"id":"GHREL-solana-labs-solana-v0.9.1","kind":"vendor-advisory"}],"family":"supply-chain","first_seen":"2018-01-01","id":"NRDAX-T0337","instances":[],"mechanism":"Unexploitable Dependency Vulnerability","name":"unexploitable-dependency-vulnerability","provenance_note":"known-but-not-reproduced coverage gap (technique 'unexploitable-dependency-vulnerability')","status":"active"},{"display_name":"Unhandled Enum Variant Panic","external_references":[{"id":"GHPR-Conflux-Chain-conflux-rust-3520","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0338","instances":[],"mechanism":"Unhandled Enum Variant Panic","name":"unhandled-enum-variant-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'unhandled-enum-variant-panic')","status":"active"},{"display_name":"Unhandled Fork Event Panic","external_references":[{"id":"GHPR-anza-xyz-agave-13606","kind":"vendor-advisory"},{"id":"GHPR-near-nearcore-15909","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0339","instances":[],"mechanism":"Unhandled Fork Event Panic","name":"unhandled-fork-event-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'unhandled-fork-event-panic')","status":"active"},{"display_name":"Unhandled Promise Rejection Crash","external_references":[{"id":"GHPR-libp2p-js-libp2p-2299","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0340","instances":[],"mechanism":"Unhandled Promise Rejection Crash","name":"unhandled-promise-rejection-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'unhandled-promise-rejection-crash')","status":"active"},{"display_name":"Unhandled RPC Error Panic","external_references":[{"id":"GHPR-MystenLabs-sui-26528","kind":"vendor-advisory"},{"id":"GHPR-OffchainLabs-go-ethereum-475","kind":"vendor-advisory"},{"id":"GHPR-OffchainLabs-go-ethereum-624","kind":"vendor-advisory"},{"id":"GHPR-XRPLF-clio-620","kind":"vendor-advisory"},{"id":"GHPR-XRPLF-rippled-7675","kind":"vendor-advisory"},{"id":"GHPR-paradigmxyz-reth-23987","kind":"vendor-advisory"},{"id":"GHPR-paritytech-polkadot-sdk-12220","kind":"vendor-advisory"},{"id":"GHPR-solana-labs-solana-35244","kind":"vendor-advisory"},{"id":"GHPR-starkware-libs-sequencer-14412","kind":"vendor-advisory"},{"id":"GHPR-starkware-libs-sequencer-14744","kind":"vendor-advisory"},{"id":"GHREL-Conflux-Chain-conflux-rust-v0.3.2","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-devnet-v1.68.0","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-mainnet-v1.68.1","kind":"vendor-advisory"},{"id":"GHREL-MystenLabs-sui-testnet-v1.18.1","kind":"vendor-advisory"},{"id":"GHREL-algorand-go-algorand-v3.0.1-beta","kind":"vendor-advisory"},{"id":"GHREL-firedancer-io-firedancer-v0.706.20306","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0341","instances":[],"mechanism":"Unhandled RPC Error Panic","name":"unhandled-rpc-error-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'unhandled-rpc-error-panic')","status":"active"},{"display_name":"Unindexed Account Scan CPU Amplification","external_references":[],"family":"compute_amp","first_seen":"2026-06-30","id":"NRDAX-T0342","instances":[{"bundle_ref":"sol_getblocks_enum_scan","chain":"solana","discovery_origin":"original-research","external_references":[{"id":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md","kind":"vendor-advisory","url":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md"}],"fidelity":"lab","primitive_id":"sol_getblocks_enum_scan"},{"bundle_ref":"sol_gpa_compute_scan","chain":"solana","discovery_origin":"original-research","external_references":[{"id":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md","kind":"vendor-advisory","url":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md"}],"fidelity":"lab","primitive_id":"sol_gpa_compute_scan"},{"bundle_ref":"sui_p07_getownedobjects_scan","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"https://github.com/MystenLabs/sui/blob/main/crates/sui-core/src/authority.rs","kind":"vendor-advisory","url":"https://github.com/MystenLabs/sui/blob/main/crates/sui-core/src/authority.rs"}],"fidelity":"lab","primitive_id":"sui_p07_getownedobjects_scan"}],"mechanism":"E28/SOL_P07: getProgramAccounts filter-miss CPU scan (agave rpc.rs:2235-2251)","name":"unindexed-account-scan-cpu-amplification","provenance_note":"imported from nr_registry cluster 'unindexed-account-scan-cpu-amplification'","status":"active"},{"display_name":"Uninitialized Buffer Memory Disclosure","external_references":[{"id":"CVE-2021-45684","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-45684"}],"family":"network-p2p","first_seen":"2021-01-01","id":"NRDAX-T0343","instances":[],"mechanism":"Uninitialized Buffer Memory Disclosure","name":"uninitialized-buffer-memory-disclosure","provenance_note":"known-but-not-reproduced coverage gap (technique 'uninitialized-buffer-memory-disclosure')","status":"active"},{"display_name":"Uninitialized Memory Disclosure","external_references":[{"id":"CVE-2020-36443","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36443"},{"id":"CVE-2020-36512","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36512"}],"family":"supply-chain","first_seen":"2020-01-01","id":"NRDAX-T0344","instances":[],"mechanism":"Uninitialized Memory Disclosure","name":"uninitialized-memory-disclosure","provenance_note":"known-but-not-reproduced coverage gap (technique 'uninitialized-memory-disclosure')","status":"active"},{"display_name":"Unrated GetHeaders Response Flood","external_references":[],"family":"response_amp","first_seen":"2026-07-01","id":"NRDAX-T0345","instances":[{"bundle_ref":"p2p_getheaders_drain","chain":"litecoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2023-33297","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33297"}],"fidelity":"lab","primitive_id":"p2p_getheaders_drain"}],"mechanism":"CVE-2023-33297 (drain): un-rate-limited getheaders flood → >100MB/s upload (Bitcoin/Litecoin/Dogecoin)","name":"unrated-getheaders-response-flood","provenance_note":"imported from nr_registry cluster 'unrated-getheaders-response-flood'","status":"active"},{"display_name":"Unresolvable Finalized Block Wedge","external_references":[{"id":"GHPR-NethermindEth-nethermind-11995","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0346","instances":[],"mechanism":"Unresolvable Finalized Block Wedge","name":"unresolvable-finalized-block-wedge","provenance_note":"known-but-not-reproduced coverage gap (technique 'unresolvable-finalized-block-wedge')","status":"active"},{"display_name":"Unsafe Deserialization Memory Corruption","external_references":[{"id":"CVE-2018-3972","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-3972"},{"id":"CVE-2021-3121","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3121"}],"family":"network-p2p","first_seen":"2018-01-01","id":"NRDAX-T0347","instances":[],"mechanism":"Unsafe Deserialization Memory Corruption","name":"unsafe-deserialization-memory-corruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'unsafe-deserialization-memory-corruption')","status":"active"},{"display_name":"Unsafe Deserialization RCE","external_references":[{"id":"CVE-2022-42003","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-42003"},{"id":"CVE-2025-58367","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-58367"},{"id":"GHSA-rpj2-4hq8-938g","kind":"ghsa","url":"https://github.com/advisories/GHSA-rpj2-4hq8-938g"},{"id":"GHPR-near-nearcore-15709","kind":"vendor-advisory"}],"family":"supply-chain","first_seen":"2022-01-01","id":"NRDAX-T0348","instances":[],"mechanism":"Unsafe Deserialization RCE","name":"unsafe-deserialization-rce","provenance_note":"known-but-not-reproduced coverage gap (technique 'unsafe-deserialization-rce')","status":"active"},{"display_name":"Unseeded Hash Collision DoS","external_references":[],"family":"compute_amp","first_seen":"2026-07-11","id":"NRDAX-T0349","instances":[{"bundle_ref":"quic_scid_collision_hash_dos","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"CVE-2025-47200 — NCC Group / Fox-IT technical advisory 'Hash Denial-of-Service Attack in Multiple QUIC Implementations'. QUIC servers index the connection table by the peer-chosen Source Connection ID (SCID, 8..20 bytes). Implementations hashing the SCID with a weak non-seeded function (FNV, xxHash, or a multiplicative `hash = hash*31 + char`) let an attacker pre-compute DISTINCT SCIDs that all collide into one bucket; opening many such connections degrades table insert/lookup from O(1) to O(n) (amortised O(n^2)), burning server CPU. Only SipHash resists it. Affected: xquic <= 1.8.1 (fixed 1.8.2), Apache Traffic Server <= 10.0.3 / 9.2.x <= 9.2.8, ngtcp2 1.10.0 example server (all CVE-2025-47200); kwik <= 0.10.0 (CVE-2025-23020, fixed 0.10.1); lsquic <= 4.0.12 (CVE-2025-24947, fixed 4.2.0); picoquic commit 3827b00 (CVE-2025-24946, fixed b80fd3f). https://www.nccgroup.com/research/technical-advisory-hash-denial-of-service-attack-in-multiple-quic-implementations/","kind":"cve"}],"fidelity":"lab","primitive_id":"quic_scid_collision_hash_dos"}],"mechanism":"QUIC SCID hash-collision DoS (CVE-2025-47200): a flood of QUIC v1 Initial packets whose 8-byte Source Connection IDs are crafted to COLLIDE in the server's connection-ID hash table. The server keys ac","name":"unseeded-hash-collision-dos","provenance_note":"imported from nr_registry cluster 'unseeded-hash-collision-dos'","status":"active"},{"display_name":"Unsolicited Block State Poisoning","external_references":[{"id":"GHSA-382w-958v-m5jr","kind":"ghsa","url":"https://github.com/advisories/GHSA-382w-958v-m5jr"}],"family":"consensus_abuse","first_seen":"2026-07-01","id":"NRDAX-T0350","instances":[{"bundle_ref":"btc_mutated_block","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/10/08/disclose-mutated-blocks-hindering-propagation/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/10/08/disclose-mutated-blocks-hindering-propagation/"}],"fidelity":"lab","primitive_id":"btc_mutated_block"},{"bundle_ref":"cometbft_blocksync_malicious_peer","chain":"cosmos","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/cometbft/cometbft/security/advisories/GHSA-hg58-rf2h-6rr7","kind":"ghsa","url":"https://github.com/cometbft/cometbft/security/advisories/GHSA-hg58-rf2h-6rr7"}],"fidelity":"proxy","primitive_id":"cometbft_blocksync_malicious_peer"}],"mechanism":"CVE-2024-52921: unrequested merkle-mismatched block erases other peers' download state → hinders propagation","name":"unsolicited-block-state-poisoning","provenance_note":"imported from nr_registry cluster 'unsolicited-block-state-poisoning'","status":"active"},{"display_name":"Unvalidated DHT Record Storage Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-10","id":"NRDAX-T0351","instances":[{"bundle_ref":"libp2p_dht_putvalue_disk_exhaustion","chain":"libp2p","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://github.com/advisories/GHSA-32mq-hpph-xfvr","kind":"ghsa","url":"https://github.com/advisories/GHSA-32mq-hpph-xfvr"}],"fidelity":"lab","primitive_id":"libp2p_dht_putvalue_disk_exhaustion"}],"mechanism":"CVE-2026-45783 / GHSA-32mq-hpph-xfvr: the libp2p Kademlia DHT (@libp2p/kad-dht (npm, js-libp2p), affected < 16.2.6) accepts and persists PUT_VALUE records with no effective validation, count, or byte ","name":"unvalidated-dht-record-storage-exhaustion","provenance_note":"imported from nr_registry cluster 'unvalidated-dht-record-storage-exhaustion'","status":"active"},{"display_name":"Unvalidated Field Length Panic","external_references":[],"family":"state_import_abuse","first_seen":"2026-07-03","id":"NRDAX-T0352","instances":[{"bundle_ref":"sol_snapshot_oversized_datalen_indexgen_panic","chain":"solana-agave","discovery_origin":"original-research","external_references":[{"id":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md","kind":"vendor-advisory","url":"https://github.com/anza-xyz/agave/blob/master/SECURITY.md"}],"fidelity":"lab","primitive_id":"sol_snapshot_oversized_datalen_indexgen_panic"}],"mechanism":"Agave snapshot AppendVec StoredMeta.data_len > MAX_PERMITTED_DATA_LENGTH (10 MiB) survives new_for_startup (sanitize skipped) -> index-gen scan_accounts QuotaExceeded -> .expect(\"must scan accounts st","name":"unvalidated-field-length-panic","provenance_note":"imported from nr_registry cluster 'unvalidated-field-length-panic'","status":"active"},{"display_name":"Unvalidated Header Buffer OOM","external_references":[{"id":"CVE-2026-42582","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42582"},{"id":"GHSA-jqc5-2p7q-fqfc","kind":"ghsa","url":"https://github.com/advisories/GHSA-jqc5-2p7q-fqfc"}],"family":"memory_amp","first_seen":"2026-01-01","id":"NRDAX-T0353","instances":[{"bundle_ref":"btc_headers_genesis_spam","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/07/03/disclose-header-spam/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/07/03/disclose-header-spam/"}],"fidelity":"lab","primitive_id":"btc_headers_genesis_spam"},{"bundle_ref":"btc_headers_oom","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://bitcoincore.org/en/2024/09/18/disclose-headers-oom/","kind":"vendor-advisory","url":"https://bitcoincore.org/en/2024/09/18/disclose-headers-oom/"}],"fidelity":"lab","primitive_id":"btc_headers_oom"}],"mechanism":"CVE-2024-52916: difficulty-1 headers with parent=genesis → mapBlockIndex unbounded growth → memory DoS","name":"unvalidated-header-buffer-oom","provenance_note":"imported from nr_registry cluster 'unvalidated-header-buffer-oom'","status":"active"},{"display_name":"Unvalidated Inventory Tracking Memory Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-01","id":"NRDAX-T0354","instances":[{"bundle_ref":"btc_invdos_flood","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://invdos.net/","kind":"vendor-advisory","url":"https://invdos.net/"}],"fidelity":"lab","primitive_id":"btc_invdos_flood"}],"mechanism":"CVE-2018-17145 (INVDoS): random-hash INV flood → unbounded tx-tracking memory","name":"unvalidated-inventory-tracking-memory-exhaustion","provenance_note":"imported from nr_registry cluster 'unvalidated-inventory-tracking-memory-exhaustion'","status":"active"},{"display_name":"Unvalidated Relay Map Memory Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-01","id":"NRDAX-T0355","instances":[{"bundle_ref":"btc_alert_flood","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2016-10724","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2016-10724"}],"fidelity":"lab","primitive_id":"btc_alert_flood"},{"bundle_ref":"btc_tx_maprelay","chain":"bitcoin","discovery_origin":"reverse-engineered-cve","external_references":[{"id":"https://nvd.nist.gov/vuln/detail/CVE-2013-4627","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4627"}],"fidelity":"lab","primitive_id":"btc_tx_maprelay"}],"mechanism":"CVE-2016-10724: pre-0.13.0 alert messages stored in an unbounded map → memory exhaustion","name":"unvalidated-relay-map-memory-exhaustion","provenance_note":"imported from nr_registry cluster 'unvalidated-relay-map-memory-exhaustion'","status":"active"},{"display_name":"UPnP Gateway Event Panic Crash","external_references":[{"id":"GHPR-libp2p-rust-libp2p-5273","kind":"vendor-advisory"},{"id":"GHPR-libp2p-rust-libp2p-6459","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0356","instances":[],"mechanism":"UPnP Gateway Event Panic Crash","name":"upnp-gateway-event-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'upnp-gateway-event-panic-crash')","status":"active"},{"display_name":"UPnP Response Buffer Overflow","external_references":[{"id":"CVE-2015-20111","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2015-20111"}],"family":"supply-chain","first_seen":"2015-01-01","id":"NRDAX-T0357","instances":[],"mechanism":"UPnP Response Buffer Overflow","name":"upnp-response-buffer-overflow","provenance_note":"known-but-not-reproduced coverage gap (technique 'upnp-response-buffer-overflow')","status":"active"},{"display_name":"URL Path Encoding Auth Bypass","external_references":[{"id":"CVE-2026-42882","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42882"}],"family":"network-rpc","first_seen":"2026-01-01","id":"NRDAX-T0358","instances":[],"mechanism":"URL Path Encoding Auth Bypass","name":"url-path-encoding-auth-bypass","provenance_note":"known-but-not-reproduced coverage gap (technique 'url-path-encoding-auth-bypass')","status":"active"},{"display_name":"Verbose Logging Triggered Crash","external_references":[{"id":"CVE-2022-29177","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-29177"}],"family":"network-p2p","first_seen":"2022-01-01","id":"NRDAX-T0359","instances":[],"mechanism":"Verbose Logging Triggered Crash","name":"verbose-logging-triggered-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'verbose-logging-triggered-crash')","status":"active"},{"display_name":"Vesting Account Creation Front-Running","external_references":[{"id":"GHSA-m99c-q26r-m7m7","kind":"ghsa","url":"https://github.com/advisories/GHSA-m99c-q26r-m7m7"}],"family":"governance","first_seen":"2020-01-01","id":"NRDAX-T0360","instances":[],"mechanism":"Vesting Account Creation Front-Running","name":"vesting-account-creation-frontrun","provenance_note":"known-but-not-reproduced coverage gap (technique 'vesting-account-creation-frontrun')","status":"active"},{"display_name":"Vesting Logic Exploit","external_references":[{"id":"CVE-2024-32873","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-32873"},{"id":"CVE-2024-37154","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-37154"},{"id":"CVE-2024-39696","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39696"},{"id":"GHSA-j2cr-jc39-wpx5","kind":"ghsa","url":"https://github.com/advisories/GHSA-j2cr-jc39-wpx5"}],"family":"economic-defi","first_seen":"2024-01-01","id":"NRDAX-T0361","instances":[],"mechanism":"Vesting Logic Exploit","name":"vesting-logic-exploit","provenance_note":"known-but-not-reproduced coverage gap (technique 'vesting-logic-exploit')","status":"active"},{"display_name":"VM Integer Overflow Memory Corruption","external_references":[{"id":"CVE-2021-46102","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46102"},{"id":"CVE-2022-31264","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-31264"}],"family":"ledger-tx","first_seen":"2021-01-01","id":"NRDAX-T0362","instances":[],"mechanism":"VM Integer Overflow Memory Corruption","name":"vm-integer-overflow-memory-corruption","provenance_note":"known-but-not-reproduced coverage gap (technique 'vm-integer-overflow-memory-corruption')","status":"active"},{"display_name":"VM Resource Exhaustion OOM","external_references":[{"id":"GHSA-m3rh-cvr5-x6q4","kind":"ghsa","url":"https://github.com/advisories/GHSA-m3rh-cvr5-x6q4"},{"id":"GHPR-aptos-labs-aptos-core-20125","kind":"vendor-advisory"},{"id":"GHPR-move-language-move-567","kind":"vendor-advisory"},{"id":"GHPR-move-language-move-950","kind":"vendor-advisory"},{"id":"GHREL-hashgraph-hedera-services-v0.68.0","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0363","instances":[],"mechanism":"VM Resource Exhaustion OOM","name":"vm-resource-exhaustion-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'vm-resource-exhaustion-oom')","status":"active"},{"display_name":"VM Stack Overflow Crash","external_references":[{"id":"GHSA-g8w7-7vgg-x7xg","kind":"ghsa","url":"https://github.com/advisories/GHSA-g8w7-7vgg-x7xg"},{"id":"GHPR-OffchainLabs-nitro-4538","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0364","instances":[],"mechanism":"VM Stack Overflow Crash","name":"vm-stack-overflow-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'vm-stack-overflow-crash')","status":"active"},{"display_name":"VM Stack Underflow Panic","external_references":[{"id":"GHPR-bnb-chain-bsc-3588","kind":"vendor-advisory"}],"family":"ledger-tx","first_seen":"2020-01-01","id":"NRDAX-T0365","instances":[],"mechanism":"VM Stack Underflow Panic","name":"vm-stack-underflow-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'vm-stack-underflow-panic')","status":"active"},{"display_name":"Vote Extension Power Mutation","external_references":[{"id":"GHSA-95rx-m9m5-m94v","kind":"ghsa","url":"https://github.com/advisories/GHSA-95rx-m9m5-m94v"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0366","instances":[],"mechanism":"Vote Extension Power Mutation","name":"vote-extension-power-mutation","provenance_note":"known-but-not-reproduced coverage gap (technique 'vote-extension-power-mutation')","status":"active"},{"display_name":"Vote Extension Validation Panic","external_references":[{"id":"CVE-2024-45310","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-45310"},{"id":"GHPR-cometbft-cometbft-5890","kind":"vendor-advisory"},{"id":"GHPR-cosmos-gaia-3270","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2024-01-01","id":"NRDAX-T0367","instances":[],"mechanism":"Vote Extension Validation Panic","name":"vote-extension-validation-panic","provenance_note":"known-but-not-reproduced coverage gap (technique 'vote-extension-validation-panic')","status":"active"},{"display_name":"Vote Signature Late Verification Resource Exhaustion","external_references":[{"id":"GHREL-solana-labs-solana-v1.1.7","kind":"vendor-advisory"}],"family":"consensus","first_seen":"2020-01-01","id":"NRDAX-T0368","instances":[],"mechanism":"Vote Signature Late Verification Resource Exhaustion","name":"vote-signature-late-verification-resource-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'vote-signature-late-verification-resource-exhaustion')","status":"active"},{"display_name":"WebSocket Task Spawn Exhaustion","external_references":[],"family":"memory_amp","first_seen":"2026-07-08","id":"NRDAX-T0369","instances":[{"bundle_ref":"sui_jsonrpsee_h4_ws_task_spawn","chain":"sui","discovery_origin":"original-research","external_references":[{"id":"jsonrpsee-H4;ws.rs:148;sui-json-rpc/lib.rs:175-179","kind":"nr-advisory"}],"fidelity":"lab","primitive_id":"sui_jsonrpsee_h4_ws_task_spawn"}],"mechanism":"NullRabbit source-traced H4 slow-read","name":"websocket-task-spawn-exhaustion","provenance_note":"imported from nr_registry cluster 'websocket-task-spawn-exhaustion'","status":"active"},{"display_name":"WebTransport Capsule Memory Exhaustion","external_references":[{"id":"CVE-2026-21434","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21434"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0370","instances":[],"mechanism":"WebTransport Capsule Memory Exhaustion","name":"webtransport-capsule-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'webtransport-capsule-memory-exhaustion')","status":"active"},{"display_name":"WebTransport Close Handler Deadlock","external_references":[{"id":"CVE-2026-21435","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21435"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0371","instances":[],"mechanism":"WebTransport Close Handler Deadlock","name":"webtransport-close-handler-deadlock","provenance_note":"known-but-not-reproduced coverage gap (technique 'webtransport-close-handler-deadlock')","status":"active"},{"display_name":"WebTransport Message Parsing Crash","external_references":[{"id":"GHPR-libp2p-go-libp2p-2146","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0372","instances":[],"mechanism":"WebTransport Message Parsing Crash","name":"webtransport-message-parsing-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'webtransport-message-parsing-crash')","status":"active"},{"display_name":"WebTransport Stream Map Leak OOM","external_references":[{"id":"CVE-2026-21438","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21438"}],"family":"network-p2p","first_seen":"2026-01-01","id":"NRDAX-T0373","instances":[],"mechanism":"WebTransport Stream Map Leak OOM","name":"webtransport-stream-map-leak-oom","provenance_note":"known-but-not-reproduced coverage gap (technique 'webtransport-stream-map-leak-oom')","status":"active"},{"display_name":"Witness Block Parsing DoS","external_references":[{"id":"CVE-2022-39389","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-39389"},{"id":"GHPR-near-nearcore-15908","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2022-01-01","id":"NRDAX-T0374","instances":[],"mechanism":"Witness Block Parsing DoS","name":"witness-block-parsing-dos","provenance_note":"known-but-not-reproduced coverage gap (technique 'witness-block-parsing-dos')","status":"active"},{"display_name":"XML Attribute Parsing Quadratic CPU Exhaustion","external_references":[{"id":"RUSTSEC-2026-0194","kind":"vendor-advisory","url":"https://rustsec.org/advisories/RUSTSEC-2026-0194.html"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0375","instances":[],"mechanism":"XML Attribute Parsing Quadratic CPU Exhaustion","name":"xml-attribute-parsing-quadratic-cpu-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'xml-attribute-parsing-quadratic-cpu-exhaustion')","status":"active"},{"display_name":"XML Namespace Declaration Memory Exhaustion","external_references":[{"id":"RUSTSEC-2026-0195","kind":"vendor-advisory","url":"https://rustsec.org/advisories/RUSTSEC-2026-0195.html"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0376","instances":[],"mechanism":"XML Namespace Declaration Memory Exhaustion","name":"xml-namespace-declaration-memory-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'xml-namespace-declaration-memory-exhaustion')","status":"active"},{"display_name":"Zero-Length Field Panic Crash","external_references":[{"id":"GHREL-anza-xyz-agave-v2.2.3","kind":"vendor-advisory"},{"id":"GHREL-jito-foundation-jito-solana-v1.14.18-jito","kind":"vendor-advisory"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0377","instances":[],"mechanism":"Zero-Length Field Panic Crash","name":"zero-length-field-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'zero-length-field-panic-crash')","status":"active"},{"display_name":"ZK Proof Forgery Acceptance","external_references":[{"id":"CVE-2019-7167","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2019-7167"},{"id":"CVE-2026-54496","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-54496"}],"family":"crypto","first_seen":"2019-01-01","id":"NRDAX-T0378","instances":[],"mechanism":"ZK Proof Forgery Acceptance","name":"zk-proof-forgery-acceptance","provenance_note":"known-but-not-reproduced coverage gap (technique 'zk-proof-forgery-acceptance')","status":"active"},{"display_name":"ZK Verifier Panic Crash","external_references":[{"id":"GHPR-ethereum-optimism-optimism-21561","kind":"vendor-advisory"},{"id":"GHPR-matter-labs-zksync-era-4563","kind":"vendor-advisory"}],"family":"crypto","first_seen":"2020-01-01","id":"NRDAX-T0379","instances":[],"mechanism":"ZK Verifier Panic Crash","name":"zk-verifier-panic-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'zk-verifier-panic-crash')","status":"active"},{"display_name":"zkVM Guest Memory Safety","external_references":[{"id":"CVE-2025-61588","kind":"cve","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61588"}],"family":"crypto","first_seen":"2025-01-01","id":"NRDAX-T0380","instances":[],"mechanism":"zkVM Guest Memory Safety","name":"zkvm-guest-memory-safety","provenance_note":"known-but-not-reproduced coverage gap (technique 'zkvm-guest-memory-safety')","status":"active"},{"display_name":"ZMQ Message Error-Handling Crash","external_references":[{"id":"GHPR-monero-project-monero-9052","kind":"vendor-advisory"}],"family":"network-rpc","first_seen":"2020-01-01","id":"NRDAX-T0381","instances":[],"mechanism":"ZMQ Message Error-Handling Crash","name":"zmq-message-error-handling-crash","provenance_note":"known-but-not-reproduced coverage gap (technique 'zmq-message-error-handling-crash')","status":"active"},{"display_name":"Error-Response Connection-State Leak","external_references":[],"family":"memory_amp","first_seen":"2026-07-13","id":"NRDAX-T0382","instances":[{"bundle_ref":"dnsdist_doq_error_query_mem_leak","chain":"quic","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"lab","primitive_id":"dnsdist_doq_error_query_mem_leak"}],"mechanism":"dnsdist's DoQ/DoH3 receiver allocates per-error bookkeeping state whenever it emits a self-generated FORMERR/REFUSED/SERVFAIL/NOTIMP response, and attaches that state to the QUIC connection object rather than the completed stream/query, freeing it only on full connection teardown. An attacker opens a single DoQ/DoH3 connection and streams a large run of complete, well-formed queries engineered to each trigger a local error response, causing the per-error allocations to accumulate unboundedly for as long as the connection (or its parallel siblings) stays open. The fix-class is scoping/freeing per-error bookkeeping to the query/stream lifetime instead of the connection lifetime, bounding memory growth regardless of connection duration.","name":"error-response-connection-state-leak","provenance_note":"imported from nr_registry cluster 'error-response-connection-state-leak'","status":"active"},{"display_name":"HPACK Decoded-Size Accounting Bypass","external_references":[],"family":"memory_amp","first_seen":"2026-07-13","id":"NRDAX-T0383","instances":[{"bundle_ref":"envoy_http2_hpack_cookie_amplification","chain":"http2","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"envoy_http2_hpack_cookie_amplification"},{"bundle_ref":"http2_bomb_indexed_ref_window_pin","chain":"http2","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"lab","primitive_id":"http2_bomb_indexed_ref_window_pin"}],"mechanism":"Envoy's HTTP/2 HPACK decoder bounds header-block size on ENCODED bytes only, and cookie header bytes bypass the max_request_headers_kb decoded-size accounting entirely. An attacker plants one large cookie value once in the HPACK dynamic table via a literal-with-incremental-indexing field, then re-references that single entry many times per request using 1-byte indexed-header-field octets, so the wire stays tiny while Envoy materializes the full cookie value on every reference. The fix-class is bounding/accounting the DECODED header size (including cookie bytes) rather than just the encoded HPACK block, closing the asymmetric-allocation gap; without it, a few connections/streams balloon decoded-header memory past the process limit and get OOM-killed within seconds.","name":"hpack-decoded-size-accounting-bypass","provenance_note":"imported from nr_registry cluster 'hpack-decoded-size-accounting-bypass'","status":"active"},{"display_name":"HTTP/2 Continuation Frame Flood","external_references":[],"family":"compute_amp","first_seen":"2026-07-13","id":"NRDAX-T0384","instances":[{"bundle_ref":"http2_continuation_flood","chain":"http2","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"http2_continuation_flood"}],"mechanism":"The HTTP/2 decoder's header-list-size guard is size-based (maxHeaderListSize - frameSize < currentSize) and never trips when each CONTINUATION frame carries zero bytes, so no count limit exists on CONTINUATION frames following an unterminated HEADERS block (END_HEADERS=0). An attacker opens a header block and streams an unbounded sequence of zero-length CONTINUATION frames on one connection, each costing only a 9-byte frame header to send. The decoder keeps parsing every frame, monopolizing a CPU thread and producing a compute-exhaustion DoS at negligible attacker bandwidth.","name":"http2-continuation-frame-flood","provenance_note":"imported from nr_registry cluster 'http2-continuation-frame-flood'","status":"active"},{"display_name":"Invalid Block Disk Replay Exhaustion","external_references":[{"id":"GHSA-78pp-mc9g-g4mw","kind":"ghsa","url":"https://github.com/advisories/GHSA-78pp-mc9g-g4mw"}],"family":"network-p2p","first_seen":"2020-01-01","id":"NRDAX-T0385","instances":[],"mechanism":"Invalid Block Disk Replay Exhaustion","name":"invalid-block-disk-replay-exhaustion","provenance_note":"known-but-not-reproduced coverage gap (technique 'invalid-block-disk-replay-exhaustion')","status":"active"},{"display_name":"Priority-Field Parse-Exception Leak","external_references":[],"family":"memory_amp","first_seen":"2026-07-13","id":"NRDAX-T0386","instances":[{"bundle_ref":"http2_malformed_priority_leak_flood","chain":"http2","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"lab","primitive_id":"http2_malformed_priority_leak_flood"}],"mechanism":"The HTTP/2 priority parser (RFC 9218 urgency field) throws an unhandled IllegalArgumentException when given an out-of-range value (e.g. u=99), and the request-handling code path lacks a catch/cleanup for this failure, leaving the half-processed request's state permanently retained. An attacker floods the server with malformed PRIORITY_UPDATE frames or priority headers, each triggering the same uncaught-exception path, causing unbounded cumulative memory retention across requests. Effect: gradual heap growth culminating in OutOfMemoryError / DoS. The fix-class is 'catch parser exceptions and ensure per-request cleanup/dispatch on all error paths', distinguishing it from stream-count or flow-control exhaustion techniques.","name":"priority-field-parse-exception-leak","provenance_note":"imported from nr_registry cluster 'priority-field-parse-exception-leak'","status":"active"},{"display_name":"QPACK Blocked-Decode Flow-Control Leak","external_references":[],"family":"memory_amp","first_seen":"2026-07-13","id":"NRDAX-T0387","instances":[{"bundle_ref":"envoy_http3_qpack_blocked_decode_leak","chain":"http3","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"envoy_http3_qpack_blocked_decode_leak"}],"mechanism":"The QPACK decoder returns QUIC stream- and connection-level flow-control credit for HEADERS bytes belonging to field sections that reference dynamic-table entries not yet inserted (Required Insert Count > inserted count), even though those bytes remain resident in the decoder's blocked-section heap buffer. An attacker sends such blocked field sections and never supplies the corresponding encoder-stream inserts, so the sections never decode or free, while continuing to send more HEADERS traffic using the wrongly-returned flow-control credit. This decouples flow-control accounting from actual buffer occupancy, letting the attacker drive unbounded heap growth in the decoder and exhaust memory/DoS the HTTP/3 stack.","name":"qpack-blocked-decode-flow-control-leak","provenance_note":"imported from nr_registry cluster 'qpack-blocked-decode-flow-control-leak'","status":"active"},{"display_name":"Unbounded Header-List-Size Default OOM","external_references":[],"family":"memory_amp","first_seen":"2026-07-13","id":"NRDAX-T0388","instances":[{"bundle_ref":"netty_http3_field_section_oom","chain":"http3","discovery_origin":"reverse-engineered-cve","external_references":[],"fidelity":"proxy","primitive_id":"netty_http3_field_section_oom"}],"mechanism":"The node-side defect is an insecure default: the HTTP/3 codec's maxHeaderListSize defaults to the near-unbounded RFC 9114 ceiling ((1<<62)-1) whenever a peer omits SETTINGS_MAX_FIELD_SECTION_SIZE, instead of inheriting the safe bounded default already enforced for HTTP/1.1 and HTTP/2. An attacker simply never sends that setting, then transmits a HEADERS/QPACK block containing an enormous COUNT of distinct literal header fields; the codec keeps decoding and buffering each field with no size ceiling. The fix-class is enforcing a safe bounded default (and/or hard cap independent of peer-advertised settings) for field-section size in the HTTP/3 codec, which measurably manifests as unbounded heap growth culminating in OutOfMemoryError/process death.","name":"unbounded-header-list-size-default-oom","provenance_note":"imported from nr_registry cluster 'unbounded-header-list-size-default-oom'","status":"active"}],"total":388}