CVE-2026-35406 Overview
CVE-2026-35406 is a denial of service vulnerability affecting aardvark-dns, an authoritative DNS server designed for A/AAAA container records. The vulnerability allows an attacker to cause the DNS server to enter an unrecoverable infinite error loop consuming 100% CPU by sending a truncated TCP DNS query followed by a connection reset.
Critical Impact
Successful exploitation causes complete denial of service of the aardvark-dns server, rendering container DNS resolution unavailable and potentially disrupting containerized application communications.
Affected Products
- Aardvark-dns versions 1.16.0 to 1.17.0
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35406 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35406
Vulnerability Analysis
This vulnerability (CWE-400: Uncontrolled Resource Consumption) affects the TCP query handling mechanism in aardvark-dns. When the DNS server receives a truncated TCP DNS query—a query packet that is incomplete or improperly formed—followed by an abrupt connection reset from the client, the server fails to properly handle this error condition. Instead of gracefully recovering or terminating the connection processing, the server enters an infinite error loop.
The infinite loop consumes 100% of available CPU resources on the affected system. This resource exhaustion condition is unrecoverable without manual intervention, meaning the DNS server must be restarted to restore normal operation. Container environments relying on aardvark-dns for internal DNS resolution would experience complete loss of name resolution services during the attack.
Root Cause
The root cause lies in improper error handling when processing TCP DNS connections that are prematurely terminated. The code path responsible for reading and processing TCP-based DNS queries does not adequately handle the scenario where a partial query is received followed by a connection reset (RST) packet. This results in the server repeatedly attempting to process the incomplete request without proper exit conditions or timeout mechanisms.
Attack Vector
An attacker with local access to the network can exploit this vulnerability by establishing a TCP connection to the aardvark-dns server on the DNS port. The attack sequence involves:
- Opening a TCP connection to the DNS server
- Sending a deliberately truncated or partial DNS query packet
- Immediately resetting the TCP connection before the server can complete processing
The attack requires local network access but does not require authentication or user interaction. The simplicity of the attack vector combined with the severe impact on availability makes this a significant concern for containerized environments using aardvark-dns.
Detection Methods for CVE-2026-35406
Indicators of Compromise
- Aardvark-dns process consuming 100% CPU for extended periods
- DNS resolution failures for containers despite the aardvark-dns process running
- Sudden spike in TCP connection resets to the DNS service port
- Log entries indicating repeated connection errors or malformed queries
Detection Strategies
- Monitor CPU utilization of aardvark-dns processes and alert on sustained 100% usage
- Implement network monitoring to detect patterns of truncated TCP DNS queries followed by RST packets
- Configure container orchestration health checks to detect unresponsive DNS services
- Review aardvark-dns logs for error patterns associated with malformed TCP queries
Monitoring Recommendations
- Deploy endpoint monitoring to track resource consumption of critical infrastructure services
- Implement automated alerting for DNS resolution failures within container environments
- Configure network flow analysis to identify anomalous TCP connection patterns targeting DNS services
- Establish baseline CPU utilization metrics for aardvark-dns to enable anomaly detection
How to Mitigate CVE-2026-35406
Immediate Actions Required
- Upgrade aardvark-dns to version 1.17.1 or later immediately
- Verify current aardvark-dns version across all container hosts and orchestration platforms
- Monitor aardvark-dns processes for signs of exploitation until patches are applied
- Prepare incident response procedures for DNS service recovery if exploitation occurs
Patch Information
The vulnerability has been fixed in aardvark-dns version 1.17.1. The fix addresses the improper error handling that allowed the infinite loop condition. Organizations should upgrade to the patched version as soon as possible. Additional details about the fix are available in the GitHub Security Advisory GHSA-hfpq-x728-986j and the GitHub commit.
Workarounds
- Implement network segmentation to limit access to the DNS service from untrusted sources
- Deploy rate limiting on TCP connections to the aardvark-dns service
- Configure automated restart policies for the aardvark-dns service to enable faster recovery if exploited
- Use external DNS services as fallback to maintain connectivity during potential attacks
# Verify current aardvark-dns version and upgrade
aardvark-dns --version
# Upgrade to patched version (example using package manager)
dnf update aardvark-dns
# Or pull latest container image containing patched version
podman pull containers/aardvark-dns:v1.17.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
