GHSA-q2qq-hmj6-3wpp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-q2qq-hmj6-3wpp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-q2qq-hmj6-3wpp/GHSA-q2qq-hmj6-3wpp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-q2qq-hmj6-3wpp
- Aliases
- Downstream
- Related
- Published
- 2026-05-07T02:59:48Z
- Modified
- 2026-05-08T07:14:21.676604269Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression
- Details
-
During message encoding,
hickory-proto'sBinEncoderstores pointers to labels that are candidates for name compression in aVec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.
This is similar to CVE-2024-8508.
Reporter
Qifan Zhang, Palo Alto Networks
- Database specific
{ "github_reviewed_at": "2026-05-07T02:59:48Z", "github_reviewed": true, "cwe_ids": [ "CWE-407", "CWE-770" ], "nvd_published_at": null, "severity": "MODERATE" }- References
Affected packages
crates.io / hickory-proto
Package
- Name
- hickory-proto
- View open source insights on deps.dev
- Purl
- pkg:cargo/hickory-proto