{"id":"RUSTSEC-2026-0119","summary":"CPU exhaustion during message encoding due to O(n²) name compression","details":"During message encoding, `hickory-proto`'s `BinEncoder` stores pointers to\nlabels that are candidates for name compression in a `Vec\u003c(usize, Vec\u003cu8\u003e)\u003e`.\nThe name compression logic then searches for matches with a linear scan.\n\nA malicious message with many records can both introduce many candidate labels,\nand invoke this linear scan many times. This can amplify CPU exhaustion in DoS\nattacks.\n\nThis is similar to\n[CVE-2024-8508](https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt).\n\nWe recommend all affected users update to `hickory-proto` 0.26.1 for the fix.","modified":"2026-05-01T14:45:08.892979Z","published":"2026-05-01T12:00:00Z","related":["CVE-2024-8508"],"database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hickory-proto"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0119.html"},{"type":"ADVISORY","url":"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-q2qq-hmj6-3wpp"}],"affected":[{"package":{"name":"hickory-proto","ecosystem":"crates.io","purl":"pkg:cargo/hickory-proto"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.3.1"},{"fixed":"0.26.1"}]}],"ecosystem_specific":{"affected_functions":null,"affects":{"os":[],"functions":[],"arch":[]}},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0119.json","informational":null,"categories":["denial-of-service"],"cvss":null}}],"schema_version":"1.7.5"}