Skip to main content

Red Hat CVE-2026-35406

| EUVDEUVD-2026-19972 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-07 https://github.com/containers/aardvark-dns GHSA-hfpq-x728-986j
6.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19972
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
Patch released
Apr 07, 2026 - 20:16 nvd
Patch available
CVE Published
Apr 07, 2026 - 20:13 nvd
MEDIUM 6.2

DescriptionGitHub Advisory

Impact

A truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU.

Patches

https://github.com/containers/aardvark-dns/commit/3b49ea7b38bdea134b7f03256f2e13f44ce73bb1

Workarounds

None

Credits

Thanks to @dkane01 for reporting this

AnalysisAI

Aardvark-dns enters an unrecoverable infinite error loop consuming 100% CPU when processing a truncated TCP DNS query followed by a connection reset, causing denial of service to DNS resolution services. The vulnerability affects the aardvark-dns container DNS service and requires local network access to trigger. No public exploit code or active exploitation has been identified, but the trivial attack vector (malformed DNS packets) and high CPU impact make this a practical denial-of-service risk for containerized deployments.

Technical ContextAI

Aardvark-dns is a DNS service component for container networking that handles DNS queries from containers. The vulnerability resides in the TCP DNS query handling logic, where the code fails to properly handle the combination of a truncated DNS query packet and a subsequent connection reset. This triggers an unhandled exception or infinite retry loop rather than graceful error recovery. The root cause is classified as CWE-400 (Uncontrolled Resource Consumption), indicating the code lacks proper bounds checking or loop termination logic when processing malformed network packets. The affected product is delivered via the Rust netavark package (pkg:rust/netavark), which provides networking abstractions for container runtimes including Podman.

RemediationAI

Vendor-released patch: upgrade aardvark-dns to version v1.17.1 or later. For Podman users, update the container runtime to a version that includes the patched aardvark-dns dependency. The upstream fix is available in commit 3b49ea7b38bdea134b7f03256f2e13f44ce73bb1 and has been released in v1.17.1. No workarounds are available per the vendor advisory, so patching is the only mitigation. Reference the official advisory at https://github.com/containers/aardvark-dns/security/advisories/GHSA-hfpq-x728-986j for platform-specific upgrade instructions.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.2 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-35406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy