Infinite loop Affecting hickory-proto package, versions <0.26.0-beta.1

Q: How to fix?

Upgrade hickory-proto to version 0.26.0-beta.1 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-HICKORYPROTO-16346342
published3 May 2026
disclosed1 May 2026
creditDavid Cook

Report a new vulnerability Found a mistake?

Introduced: 1 May 2026

NewCWE-835 (opens in a new tab)

How to fix?

Upgrade hickory-proto to version 0.26.0-beta.1 or higher.

Overview

Affected versions of this package are vulnerable to Infinite loop in the DnssecDnsHandle process. An attacker can cause the process to enter an unbounded loop and exhaust system memory by returning a DNS response with an authority section containing an SOA record that is not an ancestor of the queried name, triggering repeated allocations. This is only exploitable if the dnssec-ring or dnssec-aws-lc-rs feature is enabled and DNSSEC validation is configured.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
None
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None