GHSA-q2qq-hmj6-3wpp: hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression

May 7, 2026

During message encoding, hickory-proto’s BinEncoder stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.

A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.

This is similar to CVE-2024-8508.

References

github.com/advisories/GHSA-q2qq-hmj6-3wpp
github.com/hickory-dns/hickory-dns
github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp
rustsec.org/advisories/RUSTSEC-2026-0119.html

Code Behaviors & Features

Detect and mitigate GHSA-q2qq-hmj6-3wpp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →