EUVD-2026-17405
GHSA-v2vv-6q75-rvc9
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4Tags
Description
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
Analysis
Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious DNS over QUIC or DNS over HTTP/3 payloads that force excessive memory allocation. The attack causes the QUIC connection to close abnormally, and in systems with limited memory reserves, can force out-of-memory conditions that terminate the DNSdist process entirely.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Vendor Status
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | (unfixed) | end-of-life |
| bookworm | fixed | (unfixed) | end-of-life |
| trixie | vulnerable | 1.9.10-1+deb13u1 | - |
| forky | vulnerable | 2.0.2-1 | - |
| sid | fixed | 2.0.3-1 | - |
| (unstable) | fixed | 2.0.3-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today