CVE-2026-47703 in AdGuard Home
Summary
by MITRE • 07/15/2026
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by producing dns_id=0 or txid=0 and exposed a quoted-port ICMP source-port oracle, weakening DNS response matching for forwarded queries. This issue is fixed in version 0.107.75.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
AdGuard Home serves as a comprehensive network-level solution for blocking advertisements and tracking activities across entire networks, operating as a DNS proxy that forwards queries to upstream resolvers while maintaining local caching and filtering capabilities. The vulnerability under discussion affects the client-triggered DoQ (DNS over QUIC) forwarding mechanism that routes queries through UDP-based upstream servers, creating a specific attack surface that impacts the underlying DNS state management system. This flaw exists within the DNS query processing pipeline where AdGuard Home handles forwarded requests through its DoQ implementation, particularly when communicating with upstream UDP resolvers.
The technical implementation of this vulnerability stems from how AdGuard Home processes DNS identifiers during the forwarding process. Specifically, the system generates dns_id=0 or txid=0 values in certain scenarios when handling client queries that are forwarded via DoQ to UDP upstream servers. This represents a critical failure in DNS protocol compliance where the system fails to properly maintain transaction identifiers that are fundamental to matching responses with their corresponding queries. The zero value transaction identifier breaks the expected DNS state correlation mechanism, creating a scenario where response matching becomes unreliable and potentially vulnerable to spoofing or confusion attacks.
The operational impact of this vulnerability extends beyond simple DNS resolution failures to create a weakening of the overall security posture of AdGuard Home deployments. The exposure of a quoted-port ICMP source-port oracle represents an additional attack vector that allows adversaries to infer information about the network topology and potentially map internal port configurations. This oracle effect undermines the DNS response matching process by providing attackers with predictable patterns that can be exploited to bypass normal query correlation mechanisms, effectively weakening the integrity of the DNS forwarding system.
This vulnerability aligns with CWE-200 (Information Exposure) and CWE-347 (Improper Verification of Cryptographic Signature) categories, as it exposes information about internal port configurations and weakens cryptographic verification through improper transaction identifier handling. The issue maps to ATT&CK technique T1071.004 (Application Layer Protocol: DNS) where adversaries can manipulate DNS traffic flows, and potentially T1566 (Phishing) if the DNS poisoning effects are leveraged for malicious redirection. The vulnerability demonstrates a failure in proper state management within the DNS forwarding pipeline, creating potential for response forgery or injection attacks that could compromise network security.
The fix implemented in version 0.107.75 addresses this issue by properly maintaining DNS transaction identifiers during DoQ forwarding operations to UDP upstream servers. This ensures that dns_id and txid values are correctly generated and maintained throughout the query processing lifecycle, preventing the zero-value transaction identifier from being produced. The mitigation also includes improved handling of ICMP source-port information to prevent the exposure of quoted-port oracle characteristics, thereby restoring proper DNS response matching mechanisms.
Organizations using AdGuard Home should prioritize upgrading to version 0.107.75 or later to remediate this vulnerability and maintain proper DNS security posture. Network administrators should monitor for any unusual DNS behavior or potential spoofing attempts that might have occurred during the vulnerable period, while also ensuring that upstream DNS configurations remain properly secured. The fix represents a critical improvement in maintaining DNS protocol integrity and preventing potential exploitation of DNS state management weaknesses that could lead to broader network compromise scenarios.