{"id":"RUSTSEC-2026-0119","summary":"CPU exhaustion during message encoding due to O(n²) name compression","details":"During message encoding, `hickory-proto`'s `BinEncoder` stores pointers to\nlabels that are candidates for name compression in a `Vec\u003c(usize, Vec\u003cu8\u003e)\u003e`.\nThe name compression logic then searches for matches with a linear scan.\n\nA malicious message with many records can both introduce many candidate labels,\nand invoke this linear scan many times. This can amplify CPU exhaustion in DoS\nattacks.\n\nThis is similar to\n[CVE-2024-8508](https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt).\n\nWe recommend all affected users update to `hickory-proto` 0.26.1 for the fix.","aliases":["GHSA-q2qq-hmj6-3wpp"],"modified":"2026-05-07T08:56:41Z","published":"2026-05-01T12:00:00Z","related":["CVE-2024-8508"],"database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hickory-proto"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0119.html"},{"type":"ADVISORY","url":"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp"}],"affected":[{"package":{"name":"hickory-proto","ecosystem":"crates.io","purl":"pkg:cargo/hickory-proto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.3.1"},{"fixed":"0.26.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"functions":[],"os":[]},"affected_functions":null},"database_specific":{"informational":null,"cvss":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0119.json","categories":["denial-of-service"]}}],"schema_version":"1.7.5"}