CPU exhaustion during message encoding due to O(n²) name compression
| Details |
|
| Package |
hickory-proto |
| Version |
0.24.4 |
| URL |
GHSA-q2qq-hmj6-3wpp |
| Date |
2026-05-01 |
| Patched versions |
>=0.26.1 |
| Unaffected versions |
<0.3.1 |
During message encoding, hickory-proto's BinEncoder stores pointers to
labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>.
The name compression logic then searches for matches with a linear scan.
A malicious message with many records can both introduce many candidate labels,
and invoke this linear scan many times. This can amplify CPU exhaustion in DoS
attacks.
This is similar to
CVE-2024-8508.
We recommend all affected users update to hickory-proto 0.26.1 for the fix.
See advisory page for additional details.
hickory-proto0.24.4>=0.26.1<0.3.1During message encoding,
hickory-proto'sBinEncoderstores pointers tolabels that are candidates for name compression in a
Vec<(usize, Vec<u8>)>.The name compression logic then searches for matches with a linear scan.
A malicious message with many records can both introduce many candidate labels,
and invoke this linear scan many times. This can amplify CPU exhaustion in DoS
attacks.
This is similar to
CVE-2024-8508.
We recommend all affected users update to
hickory-proto0.26.1 for the fix.See advisory page for additional details.