GHSA-q2qq-hmj6-3wpp

ADVISORY - github

Summary

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.

A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.

This is similar to CVE-2024-8508.

Reporter

Qifan Zhang, Palo Alto Networks

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-407⁠

Inefficient Algorithmic Complexity

CWE-770⁠

Allocation of Resources Without Limits or Throttling

Impacted images

Advisories

GitHub

CREATED

8 hours ago

UPDATED

8 hours ago

ADVISORY IDGHSA-q2qq-hmj6-3wpp⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-407⁠CWE-770⁠

CVSS SCORE

6.9medium

RustSec

CREATED

6 days ago

UPDATED

2 hours ago

ADVISORY IDRUSTSEC-2026-0119⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY