RUSTSEC-2026-0119 - Debian Rust Security Tracker

RUSTSEC-2026-0119: CPU exhaustion during message encoding due to O(n²) name compression

6 affected

Crate: hickory-proto
Patched Versions: >=0.26.1
Debian Version: 0.25.2-3
Issued: 2026-05-01
Aliases: GHSA-q2qq-hmj6-3wpp
Patched:Affected

During message encoding, hickory-proto's BinEncoder stores pointers to labels that are candidates for name compression in a Vec<(usize, Vec<u8>)>. The name compression logic then searches for matches with a linear scan.

A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.

This is similar to CVE-2024-8508.

We recommend all affected users update to hickory-proto 0.26.1 for the fix.

Affected Packages

hickory-proto 0.25.2 gpg-sq 0.13.1-12

hickory-proto 0.25.2 gpgv-sq 0.13.1-12

hickory-proto 0.25.2 hickory-dns 0.25.2-3

affected ⚠️ librust-hickory-proto-dev 0.25.2-3

hickory-proto 0.24.4 sequoia-git 0.6.0-1+b1

hickory-proto 0.25.2 sq 1.3.1-10