Common Weakness Enumeration

CWE-662

Discouraged

Improper Synchronization

Abstraction: Class · Status: Draft

The product utilizes multiple threads, processes, components, or systems to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not properly synchronize these actions, which might cause simultaneous accesses of this resource by multiple threads or processes.

72 vulnerabilities reference this CWE, most recent first.

GHSA-RW2C-C256-3R53

Vulnerability from github – Published: 2021-08-25 20:51 – Updated: 2023-06-13 18:08
VLAI
Summary
Data races in hashconsing
Details

Affected versions of hashconsing implements Send/Sync for its HConsed type without restricting it to Sendable types and Syncable types. This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "hashconsing"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36215"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T18:47:26Z",
    "nvd_published_at": "2021-01-26T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Affected versions of hashconsing implements Send/Sync for its HConsed type without restricting it to Sendable types and Syncable types. This allows non-Sync types such as Cell to be shared across threads leading to undefined behavior and memory corruption in concurrent programs.",
  "id": "GHSA-rw2c-c256-3r53",
  "modified": "2023-06-13T18:08:34Z",
  "published": "2021-08-25T20:51:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36215"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdrienChampion/hashconsing/issues/1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AdrienChampion/hashconsing"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0107.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data races in hashconsing"
}

GHSA-V2RQ-G9FX-7MR6

Vulnerability from github – Published: 2022-05-13 01:06 – Updated: 2022-05-13 01:06
VLAI
Details

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8368"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-13T21:59:00Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.",
  "id": "GHSA-v2rq-g9fx-7mr6",
  "modified": "2022-05-13T01:06:04Z",
  "published": "2022-05-13T01:06:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8368"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-16-336-03"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94632"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFPH-FVW4-J4XP

Vulnerability from github – Published: 2024-09-26 09:31 – Updated: 2024-09-26 09:31
VLAI
Details

An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-4278"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662",
      "CWE-821"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-26T07:15:02Z",
    "severity": "MODERATE"
  },
  "details": "An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting.",
  "id": "GHSA-vfph-fvw4-j4xp",
  "modified": "2024-09-26T09:31:41Z",
  "published": "2024-09-26T09:31:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4278"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/2466205"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/458484"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VFV6-GCFM-5FX2

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2022-05-24 16:45
VLAI
Details

An exploitable denial-of-service vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause a semaphore deadlock, which prevents the device from receiving any physical or network inputs. An attacker can send a specially crafted packet to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-4027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-13T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "An exploitable denial-of-service vulnerability exists in the XML_UploadFile Wi-Fi command of the NT9665X Chipset firmware, running on the Anker Roav A1 Dashcam, version RoavA1SWV1.9. A specially crafted packet can cause a semaphore deadlock, which prevents the device from receiving any physical or network inputs. An attacker can send a specially crafted packet to trigger this vulnerability.",
  "id": "GHSA-vfv6-gcfm-5fx2",
  "modified": "2022-05-24T16:45:32Z",
  "published": "2022-05-24T16:45:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-4027"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2018-0699"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-VWX4-FRPR-W27J

Vulnerability from github – Published: 2022-02-16 00:01 – Updated: 2022-12-01 22:11
VLAI
Summary
Improper Synchronization in Jenkins Convertigo Mobile Platform Plugin
Details

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.convertigo.jenkins.plugins:convertigo-mobile-platform"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-25210"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662",
      "CWE-820"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-02-24T17:41:42Z",
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.",
  "id": "GHSA-vwx4-frpr-w27j",
  "modified": "2022-12-01T22:11:12Z",
  "published": "2022-02-16T00:01:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25210"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/convertigo-mobile-platform-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2280"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Synchronization in Jenkins Convertigo Mobile Platform Plugin"
}

GHSA-W8WM-5QPX-C8J6

Vulnerability from github – Published: 2022-10-18 12:00 – Updated: 2022-10-20 19:00
VLAI
Details

A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-662"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-10-17T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability, which was classified as critical, has been found in Linux Kernel. Affected by this issue is the function del_timer of the file drivers/isdn/mISDN/l1oip_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211088.",
  "id": "GHSA-w8wm-5qpx-c8j6",
  "modified": "2022-10-20T19:00:36Z",
  "published": "2022-10-18T12:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3565"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=2568a7e0832ee30b0a351016d03062ab4e0e0a3f"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.211088"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WMWV-5VWP-C54W

Vulnerability from github – Published: 2022-09-14 00:00 – Updated: 2022-09-20 00:00
VLAI
Details

A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2962"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-662",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-09-13T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn\u0027t check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.",
  "id": "GHSA-wmwv-5vwp-c54w",
  "modified": "2022-09-20T00:00:29Z",
  "published": "2022-09-14T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2962"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/qemu-project/qemu/-/issues/1171"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WR55-MF5C-HHWM

Vulnerability from github – Published: 2021-08-25 20:50 – Updated: 2023-06-13 18:16
VLAI
Summary
Data races in late-static
Details

Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell).

This can result in a memory corruption or other kinds of undefined behavior.

The flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "late-static"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-36209"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-19T18:52:13Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Affected versions of this crate implemented Sync for LateStatic with T: Send, so that it is possible to create a data race to a type T: Send + !Sync (e.g. Cell\u003cT\u003e).\n\nThis can result in a memory corruption or other kinds of undefined behavior.\n\nThe flaw was corrected in commit 11f396c by replacing the T: Send bound to T: Sync bound in the Sync impl for LateStatic\u003cT\u003e.",
  "id": "GHSA-wr55-mf5c-hhwm",
  "modified": "2023-06-13T18:16:02Z",
  "published": "2021-08-25T20:50:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36209"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Richard-W/late-static/issues/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Richard-W/late-static/commit/11f396c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Richard-W/late-static"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0102.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Data races in late-static"
}

GHSA-X2W4-C67P-G44J

Vulnerability from github – Published: 2023-06-06 21:30 – Updated: 2025-02-13 18:56
VLAI
Summary
Grafana Missing Synchronization vulnerability
Details

Grafana is an open-source platform for monitoring and observability.

Using public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.

The only feature that uses mixed queries at the moment is public dashboards, but it's also possible to cause this by calling the query API directly.

This might enable malicious users to crash Grafana instances through that endpoint.

Users may upgrade to version 9.4.12 and 9.5.3 to receive a fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.4.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/grafana/grafana"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.5.0"
            },
            {
              "fixed": "9.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-2801"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-662",
      "CWE-820"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-06-07T15:08:08Z",
    "nvd_published_at": "2023-06-06T19:15:11Z",
    "severity": "HIGH"
  },
  "details": "Grafana is an open-source platform for monitoring and observability. \n\nUsing public dashboards users can query multiple distinct data sources using mixed queries. However such query has a possibility of crashing a Grafana instance.\n\nThe only feature that uses mixed queries at the moment is public dashboards, but it\u0027s also possible to cause this by calling the query API directly.\n\nThis might enable malicious users to crash Grafana instances through that endpoint.\n\nUsers may upgrade to version 9.4.12 and 9.5.3 to receive a fix.",
  "id": "GHSA-x2w4-c67p-g44j",
  "modified": "2025-02-13T18:56:29Z",
  "published": "2023-06-06T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2801"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/grafana/grafana"
    },
    {
      "type": "WEB",
      "url": "https://grafana.com/security/security-advisories/cve-2023-2801"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20230706-0002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Grafana Missing Synchronization vulnerability"
}

GHSA-XGX4-4H9W-53PV

Vulnerability from github – Published: 2026-06-04 19:50 – Updated: 2026-06-04 19:50
VLAI
Summary
AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle
Details

Summary

This report covers the client-triggered DoQ forwarding path in:

  • dnsproxy v0.81.2 (adguard/dnsproxy:v0.81.2)
  • AdGuard Home v0.107.74 (adguard/adguardhome:latest, image version label v0.107.74)

The issue was reproduced on 2026-04-25 with the products configured through their documented DoQ listener and plain UDP upstream surfaces. The scope is the internal backend UDP hop created when a DoQ query is forwarded to a udp:// upstream.

On that path, the backend DNS ID is not preserved as an independent source of entropy. For both products, the backend observer saw dns_id=0 for every sampled client-triggered query on the tested path. Repeated reruns then showed the same txid=0 behavior and the same positive source-port oracle on every sampled run. A separate quoted-port ICMP oracle distinguished the correct backend UDP source port from a wrong one with a stable, client-visible behavior change.

Attached evidence:

Root Cause Analysis

The observable behavior is consistent across both products:

  1. A DoQ client query is accepted on the frontend listener.
  2. The query is forwarded over a backend UDP leg.
  3. On that backend leg, the forwarded DNS ID collapses to 0 on the client-triggered path instead of remaining a fresh per-query variable.
  4. The backend UDP source port is still allocated per query.
  5. When an ICMP error quotes the actual backend source port, the forwarding path flips behavior in a way that does not occur for a wrong quoted port.

That combination removes txid from the backend tuple on the tested path and leaves the UDP source port as the main remaining variable. In practical terms, the backend hop stops behaving like a fresh (txid, source-port) pair per forwarded query and instead becomes a one-variable state exposure.

For dnsproxy, the correct quoted port does more than produce a failure signal: it can push resolution away from the primary UDP upstream and into the fallback upstream. For AdGuard Home, the same condition produces a fast SERVFAIL.

Reproduce

Prerequisites:

  • Docker and Docker Compose
  • OpenSSL
  • build the lab helper image used by the attached harness and observer

The attached reproducer bundle contains only the files needed for this report:

  • scripts: attachments/scripts/
  • helper image build files: attachments/docker/unbound-doq-attacker/
  • compose files: attachments/docker-compose.g03.yml, attachments/docker-compose.g04.yml, attachments/docker-compose.g05.yml
  • shipped evidence: attachments/artifacts/...

Build the helper image first:

  1. cd attachments
  2. docker build -t unbound-doq-attacker:latest -f docker/unbound-doq-attacker/Dockerfile docker/unbound-doq-attacker

To rerun dnsproxy:

  1. cd attachments
  2. bash scripts/repro-g03-dnsproxy-oracle.sh
  3. Inspect artifacts/g03/<RUN_ID>/summary.txt
  4. Inspect artifacts/g03/<RUN_ID>/entropy-backend.jsonl, txid_correct-backend.jsonl, and port_correct-backend.jsonl

To rerun the dnsproxy fallback-steering case:

  1. cd attachments
  2. bash scripts/repro-g04-dnsproxy-steering.sh
  3. Inspect artifacts/g04/<RUN_ID>/summary.txt
  4. Inspect steering_correct-main.jsonl and steering_correct-fallback.jsonl

To rerun AdGuard Home:

  1. cd attachments
  2. bash scripts/repro-g05-adguardhome-oracle.sh
  3. Inspect artifacts/g05/<RUN_ID>/summary.txt
  4. Inspect entropy-backend.jsonl, txid_correct-backend.jsonl, and port_correct-backend.jsonl

The attached evidence includes fresh dnsproxy v0.81.2 reruns, one official- profile AdGuard Home run, and the minimal reproducer bundle used by both.

Impact

For both products, the tested DoQ-to-UDP path is no longer a full (txid, source-port) search surface:

  • dnsproxy: four of four sampled runs showed txid=0 on the backend hop and a positive source-port oracle on v0.81.2. The remaining unknown is port_only. Median wrong/correct port latency was 327.99 ms / 40.93 ms.
  • AdGuard Home: four of four sampled runs showed txid=0 on the backend hop and a positive source-port oracle. The aggregate again classifies the remaining unknown as port_only. Median wrong/correct port latency was 319.14 ms / 37.02 ms.

Product-specific effects:

  • dnsproxy: a correct port guess produced an empty client-visible answer on the base oracle path, and in the fallback profile it steered all eight tested queries away from the main upstream and into the fallback upstream.
  • AdGuard Home: a correct port guess produced fast SERVFAIL and an extra backend query.

This is the security-relevant point. On the tested official profiles, the backend hop no longer forces an off-path attacker to deal with two fresh random fields per forwarded DNS race. The DNS ID is already known: it is deterministically 0 on the client-triggered DoQ-to-UDP path. The only remaining backend tuple variable is the UDP source port, and the attached evidence shows a repeatable oracle for that remaining variable.

That places the path in the same threat-model class as oracle-assisted DNS forgery work such as SAD DNS and TUdoor: the attack first uses an oracle to learn or validate the tuple state that protects an off-path response race, and only then attempts the forged response. This report stops short of a forgery demo, but the evidence already shows the crucial precondition on the tested backend hop: the tuple is not high-entropy anymore. It has been reduced from (txid, source-port) to source-port only.


Attachments attachments.zip

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.107.74"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/AdguardTeam/AdGuardHome"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.107.75"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/AdguardTeam/dnsproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.81.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47703"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-362",
      "CWE-662"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-04T19:50:23Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThis report covers the client-triggered DoQ forwarding path in:\n\n- `dnsproxy` `v0.81.2` (`adguard/dnsproxy:v0.81.2`)\n- `AdGuard Home` `v0.107.74` (`adguard/adguardhome:latest`, image version label `v0.107.74`)\n\nThe issue was reproduced on `2026-04-25` with the products configured through\ntheir documented DoQ listener and plain UDP upstream surfaces. The scope is the\ninternal backend UDP hop created when a DoQ query is forwarded to a `udp://`\nupstream.\n\nOn that path, the backend DNS `ID` is not preserved as an independent source of\nentropy. For both products, the backend observer saw `dns_id=0` for every\nsampled client-triggered query on the tested path. Repeated reruns then showed\nthe same `txid=0` behavior and the same positive source-port oracle on every\nsampled run. A separate quoted-port ICMP oracle distinguished the correct\nbackend UDP source port from a wrong one with a stable, client-visible behavior\nchange.\n\nAttached evidence:\n\n- `dnsproxy` oracle path on `v0.81.2`: [attachments/artifacts/g03/20260425T141500Z-g03-v0812/summary.txt](attachments/artifacts/g03/20260425T141500Z-g03-v0812/summary.txt)\n- `dnsproxy` `v0.81.2` repeatability: [attachments/artifacts/g03/repeatability-v0812.md](attachments/artifacts/g03/repeatability-v0812.md)\n- `dnsproxy` steering follow-up on `v0.81.2`: [attachments/artifacts/g04/20260425T141900Z-g04-v0812/summary.txt](attachments/artifacts/g04/20260425T141900Z-g04-v0812/summary.txt)\n- `AdGuard Home` oracle path: [attachments/artifacts/g05/20260425T113000Z-g05/summary.txt](attachments/artifacts/g05/20260425T113000Z-g05/summary.txt)\n\n## Root Cause Analysis\n\nThe observable behavior is consistent across both products:\n\n1. A DoQ client query is accepted on the frontend listener.\n2. The query is forwarded over a backend UDP leg.\n3. On that backend leg, the forwarded DNS `ID` collapses to `0` on the\n   client-triggered path instead of remaining a fresh per-query variable.\n4. The backend UDP source port is still allocated per query.\n5. When an ICMP error quotes the actual backend source port, the forwarding path\n   flips behavior in a way that does not occur for a wrong quoted port.\n\nThat combination removes `txid` from the backend tuple on the tested path and\nleaves the UDP source port as the main remaining variable. In practical terms,\nthe backend hop stops behaving like a fresh `(txid, source-port)` pair per\nforwarded query and instead becomes a one-variable state exposure.\n\nFor `dnsproxy`, the correct quoted port does more than produce a failure signal:\nit can push resolution away from the primary UDP upstream and into the fallback\nupstream. For `AdGuard Home`, the same condition produces a fast `SERVFAIL`.\n\n## Reproduce\n\nPrerequisites:\n\n- Docker and Docker Compose\n- OpenSSL\n- build the lab helper image used by the attached harness and observer\n\nThe attached reproducer bundle contains only the files needed for this report:\n\n- scripts: `attachments/scripts/`\n- helper image build files: `attachments/docker/unbound-doq-attacker/`\n- compose files: `attachments/docker-compose.g03.yml`,\n  `attachments/docker-compose.g04.yml`, `attachments/docker-compose.g05.yml`\n- shipped evidence: `attachments/artifacts/...`\n\nBuild the helper image first:\n\n1. `cd attachments`\n2. `docker build -t unbound-doq-attacker:latest -f docker/unbound-doq-attacker/Dockerfile docker/unbound-doq-attacker`\n\nTo rerun `dnsproxy`:\n\n1. `cd attachments`\n2. `bash scripts/repro-g03-dnsproxy-oracle.sh`\n3. Inspect `artifacts/g03/\u003cRUN_ID\u003e/summary.txt`\n4. Inspect `artifacts/g03/\u003cRUN_ID\u003e/entropy-backend.jsonl`,\n   `txid_correct-backend.jsonl`, and `port_correct-backend.jsonl`\n\nTo rerun the `dnsproxy` fallback-steering case:\n\n1. `cd attachments`\n2. `bash scripts/repro-g04-dnsproxy-steering.sh`\n3. Inspect `artifacts/g04/\u003cRUN_ID\u003e/summary.txt`\n4. Inspect `steering_correct-main.jsonl` and `steering_correct-fallback.jsonl`\n\nTo rerun `AdGuard Home`:\n\n1. `cd attachments`\n2. `bash scripts/repro-g05-adguardhome-oracle.sh`\n3. Inspect `artifacts/g05/\u003cRUN_ID\u003e/summary.txt`\n4. Inspect `entropy-backend.jsonl`, `txid_correct-backend.jsonl`, and\n   `port_correct-backend.jsonl`\n\nThe attached evidence includes fresh `dnsproxy v0.81.2` reruns, one official-\nprofile `AdGuard Home` run, and the minimal reproducer bundle used by both.\n\n## Impact\n\nFor both products, the tested DoQ-to-UDP path is no longer a full\n`(txid, source-port)` search surface:\n\n- `dnsproxy`: four of four sampled runs showed `txid=0` on the backend hop and\n  a positive source-port oracle on `v0.81.2`. The remaining unknown is\n  `port_only`. Median wrong/correct port latency was `327.99 ms / 40.93 ms`.\n- `AdGuard Home`: four of four sampled runs showed `txid=0` on the backend hop\n  and a positive source-port oracle. The aggregate again classifies the\n  remaining unknown as `port_only`. Median wrong/correct port latency was\n  `319.14 ms / 37.02 ms`.\n\nProduct-specific effects:\n\n- `dnsproxy`: a correct port guess produced an empty client-visible answer on\n  the base oracle path, and in the fallback profile it steered all eight tested\n  queries away from the main upstream and into the fallback upstream.\n- `AdGuard Home`: a correct port guess produced fast `SERVFAIL` and an extra\n  backend query.\n\nThis is the security-relevant point. On the tested official profiles, the\nbackend hop no longer forces an off-path attacker to deal with two fresh random\nfields per forwarded DNS race. The DNS ID is already known: it is\ndeterministically `0` on the client-triggered DoQ-to-UDP path. The only\nremaining backend tuple variable is the UDP source port, and the attached\nevidence shows a repeatable oracle for that remaining variable.\n\nThat places the path in the same threat-model class as oracle-assisted DNS\nforgery work such as SAD DNS and TUdoor: the attack first uses an oracle to\nlearn or validate the tuple state that protects an off-path response race, and\nonly then attempts the forged response. This report stops short of a forgery\ndemo, but the evidence already shows the crucial precondition on the tested\nbackend hop: the tuple is not high-entropy anymore. It has been reduced from\n`(txid, source-port)` to `source-port` only.\n\n\n---\n\n**Attachments**\n[attachments.zip](https://github.com/user-attachments/files/27227054/attachments.zip)",
  "id": "GHSA-xgx4-4h9w-53pv",
  "modified": "2026-06-04T19:50:23Z",
  "published": "2026-06-04T19:50:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-xgx4-4h9w-53pv"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AdguardTeam/dnsproxy/commit/f00d992ce9567a50f596853978ad6500acfdcf1d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AdguardTeam/AdGuardHome"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle"
}

Mitigation
Implementation

Use industry standard APIs to synchronize your code.

CAPEC-25: Forced Deadlock

The adversary triggers and exploits a deadlock condition in the target software to cause a denial of service. A deadlock can occur when two or more competing actions are waiting for each other to finish, and thus neither ever does. Deadlock conditions can be difficult to detect.

CAPEC-26: Leveraging Race Conditions

The adversary targets a race condition occurring when multiple processes access and manipulate the same resource concurrently, and the outcome of the execution depends on the particular order in which the access takes place. The adversary can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance, a race condition can occur while accessing a file: the adversary can trick the system by replacing the original file with their version and cause the system to read the malicious file.

CAPEC-27: Leveraging Race Conditions via Symbolic Links

This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.

CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions

This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. A typical example is file access. The adversary can leverage a file access race condition by "running the race", meaning that they would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the adversary could replace or modify the file, causing the application to behave unexpectedly.