{"id":"RUSTSEC-2026-0120","summary":"NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses","details":"The NSEC3 closest-encloser proof validation in `hickory-net`'s\n`DnssecDnsHandle` walks from the QNAME up to the SOA owner name, building a\nlist of candidate encloser names. The iterator used assumes the\nQNAME is a descendant of the SOA owner, terminating only when the current\ncandidate equals the SOA name. When the SOA in a response's authority section\nis not an ancestor of the QNAME, the loop stalls at the DNS root and never\nterminates, repeatedly calling `Name::base_name()` and pushing newly allocated\n`Name` and hashed-name entries into the candidate `Vec`.\n\nThe bug is reachable by any caller of `DnssecDnsHandle` — including the\nresolver, recursor, and client — when built with the `dnssec-ring` or\n`dnssec-aws-lc-rs` feature and configured to perform DNSSEC validation. It is\ntriggered while validating a NoData or NXDomain response whose authority\nsection contains an SOA record from a zone other than an ancestor of the\nQNAME, on a code path that requires NSEC3 closest-encloser proof. In practice\nthis can be reached through an insecure CNAME chain that crosses zone\nboundaries into a DNSSEC-signed zone returning NoData, but the minimum\ncondition is just a mismatched SOA owner on a response requiring NSEC3\nvalidation.\n\nA `debug_assert_ne!(name, Name::root())` guards the loop body, so debug builds\nabort with a panic on the first iteration past the root. Release builds\ncompile the assertion out and run the loop unbounded, allocating until the\nprocess exhausts available memory (OOM). A reachable upstream attacker who\ncan return such a response can therefore crash a debug-built validator or\nexhaust memory on a release-built one.\n\nWe recommend all affected users update to `hickory-net` 0.26.1 for the fix.","modified":"2026-05-01T14:45:12.070250Z","published":"2026-05-01T12:00:00Z","database_specific":{"license":"CC-BY-4.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/hickory-net"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0120.html"},{"type":"ADVISORY","url":"https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-3v94-mw7p-v465"}],"affected":[{"package":{"name":"hickory-net","ecosystem":"crates.io","purl":"pkg:cargo/hickory-net"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.26.1"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0120.json","categories":["denial-of-service"],"cvss":null}}],"schema_version":"1.7.5"}