CWE-662
DiscouragedImproper Synchronization
Abstraction: Class · Status: Draft
The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.
72 vulnerabilities reference this CWE, most recent first.
GHSA-RW2C-C256-3R53
Vulnerability from github – Published: 2021-08-25 20:51 – Updated: 2023-06-13 18:08Affected versions of hashconsing implements Send/Sync for its HConsed type without restricting it to Sendable types and Syncable types. This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "hashconsing"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36215"
],
"database_specific": {
"cwe_ids": [
"CWE-662",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:47:26Z",
"nvd_published_at": "2021-01-26T18:15:00Z",
"severity": "HIGH"
},
"details": "Affected versions of hashconsing implements Send/Sync for its HConsed type without restricting it to Sendable types and Syncable types. This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.",
"id": "GHSA-rw2c-c256-3r53",
"modified": "2023-06-13T18:08:34Z",
"published": "2021-08-25T20:51:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36215"
},
{
"type": "WEB",
"url": "https://github.com/AdrienChampion/hashconsing/issues/1"
},
{
"type": "PACKAGE",
"url": "https://github.com/AdrienChampion/hashconsing"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0107.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data races in hashconsing"
}
GHSA-V2RQ-G9FX-7MR6
Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.
{
"affected": [],
"aliases": [
"CVE-2016-8368"
],
"database_specific": {
"cwe_ids": [
"CWE-662"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-02-13T21:59:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.",
"id": "GHSA-v2rq-g9fx-7mr6",
"modified": "2022-05-13T01:06:04Z",
"published": "2022-05-13T01:06:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8368"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-03"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/94632"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VFPH-FVW4-J4XP
Vulnerability from github – Published: 2024-09-26 09:31 – Updated: 2024-09-26 09:31An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.
{
"affected": [],
"aliases": [
"CVE-2024-4278"
],
"database_specific": {
"cwe_ids": [
"CWE-662",
"CWE-821"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T07:15:02Z",
"severity": "MODERATE"
},
"details": "An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.",
"id": "GHSA-vfph-fvw4-j4xp",
"modified": "2024-09-26T09:31:41Z",
"published": "2024-09-26T09:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4278"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2466205"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/issues/458484"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VFV6-GCFM-5FX2
Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-05-24 16:45An exploitable denial-of-service vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause a semaphore deadlock, which prevents the device from receiving any physical or network inputs. An attacker can send a specially crafted packet to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2018-4027"
],
"database_specific": {
"cwe_ids": [
"CWE-662"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-05-13T16:29:00Z",
"severity": "HIGH"
},
"details": "An exploitable denial-of-service vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause a semaphore deadlock, which prevents the device from receiving any physical or network inputs. An attacker can send a specially crafted packet to trigger this vulnerability.",
"id": "GHSA-vfv6-gcfm-5fx2",
"modified": "2022-05-24T16:45:32Z",
"published": "2022-05-24T16:45:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4027"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0699"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-VWX4-FRPR-W27J
Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-12-01 22:11Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.convertigo.jenkins.plugins:convertigo-mobile-platform"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-25210"
],
"database_specific": {
"cwe_ids": [
"CWE-662",
"CWE-820"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-24T17:41:42Z",
"nvd_published_at": "2022-02-15T17:15:00Z",
"severity": "LOW"
},
"details": "Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.",
"id": "GHSA-vwx4-frpr-w27j",
"modified": "2022-12-01T22:11:12Z",
"published": "2022-02-16T00:01:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25210"
},
{
"type": "PACKAGE",
"url": "https://github.com/jenkinsci/convertigo-mobile-platform-plugin"
},
{
"type": "WEB",
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2280"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper Synchronization in Jenkins Convertigo Mobile Platform Plugin"
}
GHSA-W8WM-5QPX-C8J6
Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.
{
"affected": [],
"aliases": [
"CVE-2022-3565"
],
"database_specific": {
"cwe_ids": [
"CWE-119",
"CWE-662"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-17T19:15:00Z",
"severity": "HIGH"
},
"details": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.",
"id": "GHSA-w8wm-5qpx-c8j6",
"modified": "2022-10-20T19:00:36Z",
"published": "2022-10-18T12:00:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3565"
},
{
"type": "WEB",
"url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=2568a7e0832ee30b0a351016d03062ab4e0e0a3f"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.211088"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WMWV-5VWP-C54W
Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-20 00:00A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
{
"affected": [],
"aliases": [
"CVE-2022-2962"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-662",
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-09-13T20:15:00Z",
"severity": "HIGH"
},
"details": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn\u0027t check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
"id": "GHSA-wmwv-5vwp-c54w",
"modified": "2022-09-20T00:00:29Z",
"published": "2022-09-14T00:00:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2962"
},
{
"type": "WEB",
"url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"
},
{
"type": "WEB",
"url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WR55-MF5C-HHWM
Vulnerability from github – Published: 2021-08-25 20:50 – Updated: 2023-06-13 18:16Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell).
This can result in a memory corruption or other kinds of undefined behavior.
The flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "late-static"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-36209"
],
"database_specific": {
"cwe_ids": [
"CWE-662"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:52:13Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell\u003cT\u003e).\n\nThis can result in a memory corruption or other kinds of undefined behavior.\n\nThe flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic\u003cT\u003e.",
"id": "GHSA-wr55-mf5c-hhwm",
"modified": "2023-06-13T18:16:02Z",
"published": "2021-08-25T20:50:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36209"
},
{
"type": "WEB",
"url": "https://github.com/Richard-W/late-static/issues/1"
},
{
"type": "WEB",
"url": "https://github.com/Richard-W/late-static/commit/11f396c"
},
{
"type": "PACKAGE",
"url": "https://github.com/Richard-W/late-static"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0102.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Data races in late-static"
}
GHSA-X2W4-C67P-G44J
Vulnerability from github – Published: 2023-06-06 21:30 – Updated: 2025-02-13 18:56Grafana is an open-source platform for monitoring and observability.
Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.
The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.
This might enable malicious users to crash Grafana instances through that endpoint.
Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.4.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/grafana/grafana"
},
"ranges": [
{
"events": [
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-2801"
],
"database_specific": {
"cwe_ids": [
"CWE-662",
"CWE-820"
],
"github_reviewed": true,
"github_reviewed_at": "2023-06-07T15:08:08Z",
"nvd_published_at": "2023-06-06T19:15:11Z",
"severity": "HIGH"
},
"details": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it\u0027s also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.",
"id": "GHSA-x2w4-c67p-g44j",
"modified": "2025-02-13T18:56:29Z",
"published": "2023-06-06T21:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801"
},
{
"type": "PACKAGE",
"url": "https://github.com/grafana/grafana"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2023-2801"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230706-0002"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Grafana Missing Synchronization vulnerability"
}
GHSA-XGX4-4H9W-53PV
Vulnerability from github – Published: 2026-06-04 19:50 – Updated: 2026-06-04 19:50Summary
This report covers the client-triggered DoQ forwarding path in:
dnsproxyv0.81.2(adguard/dnsproxy:v0.81.2)AdGuard Homev0.107.74(adguard/adguardhome:latest, image version labelv0.107.74)
The issue was reproduced on 2026-04-25 with the products configured through
their documented DoQ listener and plain UDP upstream surfaces. The scope is the
internal backend UDP hop created when a DoQ query is forwarded to a udp://
upstream.
On that path, the backend DNS ID is not preserved as an independent source of
entropy. For both products, the backend observer saw dns_id=0 for every
sampled client-triggered query on the tested path. Repeated reruns then showed
the same txid=0 behavior and the same positive source-port oracle on every
sampled run. A separate quoted-port ICMP oracle distinguished the correct
backend UDP source port from a wrong one with a stable, client-visible behavior
change.
Attached evidence:
dnsproxyoracle path onv0.81.2: attachments/artifacts/g03/20260425T141500Z-g03-v0812/summary.txtdnsproxyv0.81.2repeatability: attachments/artifacts/g03/repeatability-v0812.mddnsproxysteering follow-up onv0.81.2: attachments/artifacts/g04/20260425T141900Z-g04-v0812/summary.txtAdGuard Homeoracle path: attachments/artifacts/g05/20260425T113000Z-g05/summary.txt
Root Cause Analysis
The observable behavior is consistent across both products:
- A DoQ client query is accepted on the frontend listener.
- The query is forwarded over a backend UDP leg.
- On that backend leg, the forwarded DNS
IDcollapses to0on the client-triggered path instead of remaining a fresh per-query variable. - The backend UDP source port is still allocated per query.
- When an ICMP error quotes the actual backend source port, the forwarding path flips behavior in a way that does not occur for a wrong quoted port.
That combination removes txid from the backend tuple on the tested path and
leaves the UDP source port as the main remaining variable. In practical terms,
the backend hop stops behaving like a fresh (txid, source-port) pair per
forwarded query and instead becomes a one-variable state exposure.
For dnsproxy, the correct quoted port does more than produce a failure signal:
it can push resolution away from the primary UDP upstream and into the fallback
upstream. For AdGuard Home, the same condition produces a fast SERVFAIL.
Reproduce
Prerequisites:
- Docker and Docker Compose
- OpenSSL
- build the lab helper image used by the attached harness and observer
The attached reproducer bundle contains only the files needed for this report:
- scripts:
attachments/scripts/ - helper image build files:
attachments/docker/unbound-doq-attacker/ - compose files:
attachments/docker-compose.g03.yml,attachments/docker-compose.g04.yml,attachments/docker-compose.g05.yml - shipped evidence:
attachments/artifacts/...
Build the helper image first:
cd attachmentsdocker build -t unbound-doq-attacker:latest -f docker/unbound-doq-attacker/Dockerfile docker/unbound-doq-attacker
To rerun dnsproxy:
cd attachmentsbash scripts/repro-g03-dnsproxy-oracle.sh- Inspect
artifacts/g03/<RUN_ID>/summary.txt - Inspect
artifacts/g03/<RUN_ID>/entropy-backend.jsonl,txid_correct-backend.jsonl, andport_correct-backend.jsonl
To rerun the dnsproxy fallback-steering case:
cd attachmentsbash scripts/repro-g04-dnsproxy-steering.sh- Inspect
artifacts/g04/<RUN_ID>/summary.txt - Inspect
steering_correct-main.jsonlandsteering_correct-fallback.jsonl
To rerun AdGuard Home:
cd attachmentsbash scripts/repro-g05-adguardhome-oracle.sh- Inspect
artifacts/g05/<RUN_ID>/summary.txt - Inspect
entropy-backend.jsonl,txid_correct-backend.jsonl, andport_correct-backend.jsonl
The attached evidence includes fresh dnsproxy v0.81.2 reruns, one official-
profile AdGuard Home run, and the minimal reproducer bundle used by both.
Impact
For both products, the tested DoQ-to-UDP path is no longer a full
(txid, source-port) search surface:
dnsproxy: four of four sampled runs showedtxid=0on the backend hop and a positive source-port oracle onv0.81.2. The remaining unknown isport_only. Median wrong/correct port latency was327.99 ms / 40.93 ms.AdGuard Home: four of four sampled runs showedtxid=0on the backend hop and a positive source-port oracle. The aggregate again classifies the remaining unknown asport_only. Median wrong/correct port latency was319.14 ms / 37.02 ms.
Product-specific effects:
dnsproxy: a correct port guess produced an empty client-visible answer on the base oracle path, and in the fallback profile it steered all eight tested queries away from the main upstream and into the fallback upstream.AdGuard Home: a correct port guess produced fastSERVFAILand an extra backend query.
This is the security-relevant point. On the tested official profiles, the
backend hop no longer forces an off-path attacker to deal with two fresh random
fields per forwarded DNS race. The DNS ID is already known: it is
deterministically 0 on the client-triggered DoQ-to-UDP path. The only
remaining backend tuple variable is the UDP source port, and the attached
evidence shows a repeatable oracle for that remaining variable.
That places the path in the same threat-model class as oracle-assisted DNS
forgery work such as SAD DNS and TUdoor: the attack first uses an oracle to
learn or validate the tuple state that protects an off-path response race, and
only then attempts the forged response. This report stops short of a forgery
demo, but the evidence already shows the crucial precondition on the tested
backend hop: the tuple is not high-entropy anymore. It has been reduced from
(txid, source-port) to source-port only.
Attachments attachments.zip
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.107.74"
},
"package": {
"ecosystem": "Go",
"name": "github.com/AdguardTeam/AdGuardHome"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.107.75"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/AdguardTeam/dnsproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.81.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47703"
],
"database_specific": {
"cwe_ids": [
"CWE-362",
"CWE-662"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T19:50:23Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThis report covers the client-triggered DoQ forwarding path in:\n\n- `dnsproxy` `v0.81.2` (`adguard/dnsproxy:v0.81.2`)\n- `AdGuard Home` `v0.107.74` (`adguard/adguardhome:latest`, image version label `v0.107.74`)\n\nThe issue was reproduced on `2026-04-25` with the products configured through\ntheir documented DoQ listener and plain UDP upstream surfaces. The scope is the\ninternal backend UDP hop created when a DoQ query is forwarded to a `udp://`\nupstream.\n\nOn that path, the backend DNS `ID` is not preserved as an independent source of\nentropy. For both products, the backend observer saw `dns_id=0` for every\nsampled client-triggered query on the tested path. Repeated reruns then showed\nthe same `txid=0` behavior and the same positive source-port oracle on every\nsampled run. A separate quoted-port ICMP oracle distinguished the correct\nbackend UDP source port from a wrong one with a stable, client-visible behavior\nchange.\n\nAttached evidence:\n\n- `dnsproxy` oracle path on `v0.81.2`: [attachments/artifacts/g03/20260425T141500Z-g03-v0812/summary.txt](attachments/artifacts/g03/20260425T141500Z-g03-v0812/summary.txt)\n- `dnsproxy` `v0.81.2` repeatability: [attachments/artifacts/g03/repeatability-v0812.md](attachments/artifacts/g03/repeatability-v0812.md)\n- `dnsproxy` steering follow-up on `v0.81.2`: [attachments/artifacts/g04/20260425T141900Z-g04-v0812/summary.txt](attachments/artifacts/g04/20260425T141900Z-g04-v0812/summary.txt)\n- `AdGuard Home` oracle path: [attachments/artifacts/g05/20260425T113000Z-g05/summary.txt](attachments/artifacts/g05/20260425T113000Z-g05/summary.txt)\n\n## Root Cause Analysis\n\nThe observable behavior is consistent across both products:\n\n1. A DoQ client query is accepted on the frontend listener.\n2. The query is forwarded over a backend UDP leg.\n3. On that backend leg, the forwarded DNS `ID` collapses to `0` on the\n client-triggered path instead of remaining a fresh per-query variable.\n4. The backend UDP source port is still allocated per query.\n5. When an ICMP error quotes the actual backend source port, the forwarding path\n flips behavior in a way that does not occur for a wrong quoted port.\n\nThat combination removes `txid` from the backend tuple on the tested path and\nleaves the UDP source port as the main remaining variable. In practical terms,\nthe backend hop stops behaving like a fresh `(txid, source-port)` pair per\nforwarded query and instead becomes a one-variable state exposure.\n\nFor `dnsproxy`, the correct quoted port does more than produce a failure signal:\nit can push resolution away from the primary UDP upstream and into the fallback\nupstream. For `AdGuard Home`, the same condition produces a fast `SERVFAIL`.\n\n## Reproduce\n\nPrerequisites:\n\n- Docker and Docker Compose\n- OpenSSL\n- build the lab helper image used by the attached harness and observer\n\nThe attached reproducer bundle contains only the files needed for this report:\n\n- scripts: `attachments/scripts/`\n- helper image build files: `attachments/docker/unbound-doq-attacker/`\n- compose files: `attachments/docker-compose.g03.yml`,\n `attachments/docker-compose.g04.yml`, `attachments/docker-compose.g05.yml`\n- shipped evidence: `attachments/artifacts/...`\n\nBuild the helper image first:\n\n1. `cd attachments`\n2. `docker build -t unbound-doq-attacker:latest -f docker/unbound-doq-attacker/Dockerfile docker/unbound-doq-attacker`\n\nTo rerun `dnsproxy`:\n\n1. `cd attachments`\n2. `bash scripts/repro-g03-dnsproxy-oracle.sh`\n3. Inspect `artifacts/g03/\u003cRUN_ID\u003e/summary.txt`\n4. Inspect `artifacts/g03/\u003cRUN_ID\u003e/entropy-backend.jsonl`,\n `txid_correct-backend.jsonl`, and `port_correct-backend.jsonl`\n\nTo rerun the `dnsproxy` fallback-steering case:\n\n1. `cd attachments`\n2. `bash scripts/repro-g04-dnsproxy-steering.sh`\n3. Inspect `artifacts/g04/\u003cRUN_ID\u003e/summary.txt`\n4. Inspect `steering_correct-main.jsonl` and `steering_correct-fallback.jsonl`\n\nTo rerun `AdGuard Home`:\n\n1. `cd attachments`\n2. `bash scripts/repro-g05-adguardhome-oracle.sh`\n3. Inspect `artifacts/g05/\u003cRUN_ID\u003e/summary.txt`\n4. Inspect `entropy-backend.jsonl`, `txid_correct-backend.jsonl`, and\n `port_correct-backend.jsonl`\n\nThe attached evidence includes fresh `dnsproxy v0.81.2` reruns, one official-\nprofile `AdGuard Home` run, and the minimal reproducer bundle used by both.\n\n## Impact\n\nFor both products, the tested DoQ-to-UDP path is no longer a full\n`(txid, source-port)` search surface:\n\n- `dnsproxy`: four of four sampled runs showed `txid=0` on the backend hop and\n a positive source-port oracle on `v0.81.2`. The remaining unknown is\n `port_only`. Median wrong/correct port latency was `327.99 ms / 40.93 ms`.\n- `AdGuard Home`: four of four sampled runs showed `txid=0` on the backend hop\n and a positive source-port oracle. The aggregate again classifies the\n remaining unknown as `port_only`. Median wrong/correct port latency was\n `319.14 ms / 37.02 ms`.\n\nProduct-specific effects:\n\n- `dnsproxy`: a correct port guess produced an empty client-visible answer on\n the base oracle path, and in the fallback profile it steered all eight tested\n queries away from the main upstream and into the fallback upstream.\n- `AdGuard Home`: a correct port guess produced fast `SERVFAIL` and an extra\n backend query.\n\nThis is the security-relevant point. On the tested official profiles, the\nbackend hop no longer forces an off-path attacker to deal with two fresh random\nfields per forwarded DNS race. The DNS ID is already known: it is\ndeterministically `0` on the client-triggered DoQ-to-UDP path. The only\nremaining backend tuple variable is the UDP source port, and the attached\nevidence shows a repeatable oracle for that remaining variable.\n\nThat places the path in the same threat-model class as oracle-assisted DNS\nforgery work such as SAD DNS and TUdoor: the attack first uses an oracle to\nlearn or validate the tuple state that protects an off-path response race, and\nonly then attempts the forged response. This report stops short of a forgery\ndemo, but the evidence already shows the crucial precondition on the tested\nbackend hop: the tuple is not high-entropy anymore. It has been reduced from\n`(txid, source-port)` to `source-port` only.\n\n\n---\n\n**Attachments**\n[attachments.zip](https://github.com/user-attachments/files/27227054/attachments.zip)",
"id": "GHSA-xgx4-4h9w-53pv",
"modified": "2026-06-04T19:50:23Z",
"published": "2026-06-04T19:50:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-xgx4-4h9w-53pv"
},
{
"type": "WEB",
"url": "https://github.com/AdguardTeam/dnsproxy/commit/f00d992ce9567a50f596853978ad6500acfdcf1d"
},
{
"type": "PACKAGE",
"url": "https://github.com/AdguardTeam/AdGuardHome"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle"
}
Mitigation
Use industry standard APIs to synchronize your code.
CAPEC-25: Forced Deadlock
The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.
CAPEC-26: Leveraging Race Conditions
The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.