Security researchers have discovered a critical vulnerability dubbed “Wallbleed” in the Great Firewall of China (GFW), providing unprecedented insights into the world’s most sophisticated internet filtering system. The vulnerability, actively exploited for research purposes from 2021 to 2024, has revealed crucial technical details about the firewall’s internal operations and architecture.
Technical Analysis of the Wallbleed Vulnerability
The vulnerability specifically targets the firewall’s DNS injection subsystem, responsible for blocking access to prohibited websites. Under specific conditions, the DNS request parser leaked up to 125 bytes of memory data from filtering devices, exposing critical system information including processor architecture (x86_64) and memory retention patterns. This technical oversight provided researchers with a unique window into the system’s core functionality.
GFW Infrastructure Scale: Hundreds of Millions of Chinese IPs Filtered
Analysis of the extracted data confirmed the massive scale of China’s filtering infrastructure, with vulnerable devices processing traffic from hundreds of millions of Chinese IP addresses. The discovery validates long-held theories about the centralized nature of the country’s internet control system, providing concrete evidence of its architectural framework for the first time.
Vulnerability Timeline and Remediation Efforts
The research team identified two distinct versions of the vulnerability: Wallbleed v1, active until autumn 2023, and Wallbleed v2, which persisted until March 2024. Chinese authorities attempted remediation twice – an initial partial fix in September-October 2023, followed by a comprehensive patch in March 2024 that finally addressed the security gap.
Great Firewall’s Technical Architecture Revealed
The investigation exposed the sophisticated nature of the filtering system, which employs at least three concurrent DNS injection systems. This redundant architecture ensures effective content blocking even if users successfully bypass initial DNS restrictions. The research highlights the complex, multi-layered approach to internet content control implemented since the late 1990s.
The three-year window of data extraction (2021–2024) before Chinese authorities applied a comprehensive patch demonstrates how long-lived side-channel vulnerabilities can persist in critical national infrastructure when not actively monitored. The 125-byte memory leak per DNS query is a textbook heap-over-read pattern — the same class of vulnerability as Heartbleed — highlighting that large-scale filtering systems are subject to the same implementation flaws as any other software stack.
