CVE-2026-35406

Name
CVE-2026-35406
Description
Aardvark-dns is an authoritative dns server for A/AAAA container records. From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU. This vulnerability is fixed in 1.17.1.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/containers/aardvark-dns/commit/3b49ea7b38bdea134b7f03256f2e13f44ce73bb1
security-advisories@github.com https://github.com/containers/aardvark-dns/releases/tag/v1.17.1
security-advisories@github.com https://github.com/containers/aardvark-dns/security/advisories/GHSA-hfpq-x728-986j

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:containers:aardvark-dns:*:*:*:*:*:*:*:* aardvark-dns >= 1.16.0 < 1.17.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
aardvark-dns edge-community 1.17.1-r0 Michał Polański <michal@polanski.me> fixed
aardvark-dns edge-community 1.16.0-r0 Michał Polański <michal@polanski.me> possibly vulnerable
aardvark-dns 3.23-community 1.16.0-r0 Michał Polański <michal@polanski.me> possibly vulnerable