Skip to main content

Dnsdist CVE-2026-24030

| EUVDEUVD-2026-17405 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-03-31 OX GHSA-v2vv-6q75-rvc9
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 12:15 euvd
EUVD-2026-17405
Analysis Generated
Mar 31, 2026 - 12:15 vuln.today
CVE Published
Mar 31, 2026 - 12:01 nvd
MEDIUM 5.3

DescriptionCVE.org

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

AnalysisAI

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.

Technical ContextAI

DNSdist is a DNS load balancer and denial-of-service protection appliance that proxies DNS queries. The vulnerability affects the DNS over QUIC (DoQ) and DNS over HTTP/3 (DoH/3) protocol handlers, which are modern DNS transport mechanisms built on the QUIC protocol. The root cause involves improper memory management during payload processing for these protocols-the application allocates memory based on attacker-controlled input without sufficient bounds checking. The vulnerability exploits the underlying QUIC/HTTP3 stack's resource handling in DNSdist, affecting all versions of the product using these protocol implementations.

RemediationAI

Apply the security patch provided in the PowerDNS advisory for DNSdist-2026-02 at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html. Exact patched version information should be obtained from the advisory. As an interim mitigation, disable DNS over QUIC and DNS over HTTP/3 protocol handlers if they are not required for your deployment, restricting DNSdist to traditional DNS over UDP/TCP until a patch is applied. Operators should prioritize patching due to the unauthenticated, network-accessible nature of the attack vector.

CVE-2017-7557 HIGH
8.8 Aug 22

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

CVE-2026-24029 MEDIUM
6.5 Mar 31

PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d

CVE-2026-27853 MEDIUM
5.9 Mar 31

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan

CVE-2018-14663 MEDIUM
5.9 Nov 26

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d

CVE-2026-24028 MEDIUM
5.3 Mar 31

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential

CVE-2026-27854 MEDIUM
4.8 Mar 31

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method

CVE-2026-33597 LOW
3.7 Apr 22

Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service

CVE-2026-33599 LOW
3.1 Apr 22

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB respon

CVE-2026-33596 LOW
3.1 Apr 22

dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti

CVE-2026-0396 LOW
3.1 Mar 31

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via

Vendor StatusVendor

Debian

dnsdist
Release Status Fixed Version Urgency
bullseye fixed (unfixed) end-of-life
bookworm fixed (unfixed) end-of-life
trixie vulnerable 1.9.10-1+deb13u1 -
forky vulnerable 2.0.2-1 -
sid fixed 2.0.3-1 -
(unstable) fixed 2.0.3-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-24030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy