CVE-2026-47703: AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle
This report covers the client-triggered DoQ forwarding path in:
dnsproxyv0.81.2(adguard/dnsproxy:v0.81.2)AdGuard Homev0.107.74(adguard/adguardhome:latest, image version labelv0.107.74)
The issue was reproduced on 2026-04-25 with the products configured through
their documented DoQ listener and plain UDP upstream surfaces. The scope is the
internal backend UDP hop created when a DoQ query is forwarded to a udp://
upstream.
On that path, the backend DNS ID is not preserved as an independent source of
entropy. For both products, the backend observer saw dns_id=0 for every
sampled client-triggered query on the tested path. Repeated reruns then showed
the same txid=0 behavior and the same positive source-port oracle on every
sampled run. A separate quoted-port ICMP oracle distinguished the correct
backend UDP source port from a wrong one with a stable, client-visible behavior
change.
Attached evidence:
References
Code Behaviors & Features
Detect and mitigate CVE-2026-47703 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →