{"id":"GHSA-3v94-mw7p-v465","summary":"hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses","details":"The NSEC3 closest-encloser proof validation in `hickory-proto`'s (0.25.0-alpha.3 ... 0.25.2) and `hickory-net`'s (0.26.0-alpha.1 .. 0.26.0)  `DnssecDnsHandle` walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of the SOA owner, terminating only when the current candidate equals the SOA name. When the SOA in a response's authority section is not an ancestor of the QNAME, the loop stalls at the DNS root and never terminates, repeatedly calling `Name::base_name()` and pushing newly allocated `Name` and hashed-name entries into the candidate `Vec`.\n\nThe bug is reachable by any caller of `DnssecDnsHandle`, including the resolver, recursor, and client, when built with the `dnssec-ring` or `dnssec-aws-lc-rs` feature and configured to perform DNSSEC validation. It is triggered while validating a NoData or NXDomain response whose authority section contains an SOA record from a zone other than an ancestor of the QNAME, on a code path that requires NSEC3 closest-encloser proof. In practice this can be reached through an insecure CNAME chain that crosses zone boundaries into a DNSSEC-signed zone returning NoData, but the minimum condition is just a mismatched SOA owner on a response requiring NSEC3 validation.\n\nA `debug_assert_ne!(name, Name::root())` guards the loop body, so debug builds abort with a panic on the first iteration past the root. Release builds compile the assertion out and run the loop unbounded, allocating until the process exhausts available memory. A reachable upstream attacker who can return such a response can therefore crash a debug build or exhaust memory on a release build, for the affected configurations.\n\nThe affected code was migrated from `hickory-proto` to `hickory-net` as part of the 0.26.0 release. Hickory DNS recommends that all affected users update to `hickory-net` 0.26.1 for the fix.\n\n### Reporter\n\nDavid Cook, ISRG","aliases":["RUSTSEC-2026-0118","RUSTSEC-2026-0120"],"modified":"2026-05-08T07:14:21.762869841Z","published":"2026-05-07T02:59:20Z","related":["CGA-37h6-gm7x-242m"],"database_specific":{"github_reviewed_at":"2026-05-07T02:59:20Z","github_reviewed":true,"severity":"HIGH","nvd_published_at":null,"cwe_ids":["CWE-835"]},"references":[{"type":"WEB","url":"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465"},{"type":"PACKAGE","url":"https://github.com/hickory-dns/hickory-dns"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2026-0118.html"},{"type":"WEB","url":"https://rustsec.org/advisories/RUSTSEC-2026-0120.html"}],"affected":[{"package":{"name":"hickory-proto","ecosystem":"crates.io","purl":"pkg:cargo/hickory-proto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.25.0-alpha.3"},{"last_affected":"0.25.2"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3v94-mw7p-v465/GHSA-3v94-mw7p-v465.json"}},{"package":{"name":"hickory-net","ecosystem":"crates.io","purl":"pkg:cargo/hickory-net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.26.0-alpha.1"},{"fixed":"0.26.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3v94-mw7p-v465/GHSA-3v94-mw7p-v465.json","last_known_affected_version_range":"\u003c= 0.26.0"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}