Listen to this Post
During message encoding, hickory-proto’s `BinEncoder` stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan. A malicious message with many records can both introduce many candidate labels and invoke this linear scan many times. This O(n²) behaviour amplifies CPU exhaustion in Denial of Service (DoS) attacks. The issue is similar to CVE-2024-8508, which affected Unbound’s name compression. An attacker can send a crafted DNS packet with numerous records (e.g., a large answer section with many domain names). The encoder repeatedly scans the candidate vector for compressible labels, causing quadratic CPU consumption. This can lock the CPU until the packet is fully encoded, degrading service availability. The vulnerability affects all `hickory-proto` versions before 0.26.1. The fix introduces a hard limit on the number of name compression calculations per packet, preventing CPU exhaustion. The issue was reported by Qifan Zhang of Palo Alto Networks.
Platform: Hickory-DNS Version: <0.26.1 Vulnerability: CPU exhaustion Severity: Moderate date: 2026-05-01 Prediction: 2026-05-01
What Undercode Say:
Check if hickory-proto is vulnerable
cargo tree | grep hickory-proto
Show label compression logic in hickory-proto
grep -rn "BinEncoder" --include=".rs" .
Simulate O(n²) name compression
for i in {1..1000}; do echo "label$i" >> labels.txt; done
python3 -c "import itertools; labels = [f'label{i}' for i in range(1000)]; [(x,y) for x in labels for y in labels]" O(n²) example
Exploit:
Craft a DNS packet with many records (e.g., 1000+ A records) each containing unique domain names. Send it to a resolver using hickory-proto. The encoder will insert each label into the compression candidate vector and perform linear scans for each record, causing CPU usage to spike quadratically.
Protection from this CVE
Upgrade to `hickory-proto` 0.26.1 or later. If patching is delayed, implement a network middleware that limits the size and complexity of incoming DNS messages, or rate-limit DNS requests from untrusted sources.
Impact
A remote, unauthenticated attacker can cause high CPU consumption, making the DNS service unresponsive (Denial of Service). The attack requires only a single malicious DNS message and can be amplified by sending multiple such messages, leading to sustained availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
