Skip to main content

Dnsdist CVE-2026-27854

| EUVDEUVD-2026-17409 MEDIUM
Use After Free (CWE-416)
2026-03-31 OX GHSA-fmwh-v9r8-w9j6
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 31, 2026 - 12:15 euvd
EUVD-2026-17409
Analysis Generated
Mar 31, 2026 - 12:15 vuln.today
CVE Published
Mar 31, 2026 - 12:06 nvd
MEDIUM 4.8

DescriptionCVE.org

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.

AnalysisAI

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method accesses a modified DNS packet, triggering a use-after-free condition. This affects DNSdist across all versions and requires network access to send crafted DNS queries, but the attack demands specific Lua code patterns and high attack complexity; no public exploit or active exploitation has been confirmed, and the real-world impact is limited to environments where custom Lua DNS query handlers reference EDNS options.

Technical ContextAI

DNSdist is PowerDNS's high-performance DNS load balancer and traffic shaper, which supports custom query processing via embedded Lua scripting. The vulnerability resides in how the DNSQuestion:getEDNSOptions Lua method handles references to EDNS (Extension Mechanisms for DNS) option data within DNS packet structures. When a DNS packet is modified during processing (for example, by upstream transformations or packet rewrites), the internal pointer or reference used by getEDNSOptions may become stale, pointing to memory that has been reallocated or freed. This is a classic use-after-free condition at the memory safety level. The root cause is insufficient validation or lifetime tracking of DNS packet structures in the Lua-to-C++ boundary when EDNS options are accessed post-modification.

RemediationAI

Update DNSdist to a patched version released by PowerDNS that addresses the use-after-free condition in the DNSQuestion:getEDNSOptions method. The exact patched version number is not provided in the available data; consult the PowerDNS advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for the specific upgrade target. As an interim mitigation, review and audit custom Lua code to identify any calls to DNSQuestion:getEDNSOptions, and either remove them if unnecessary or refactor them to avoid relying on EDNS options after packet modifications. Restrict DNSdist to minimal or no custom Lua processing if feasible, reducing the attack surface. Consider network-level controls to limit DNS query sources to trusted clients.

CVE-2017-7557 HIGH
8.8 Aug 22

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

CVE-2026-24029 MEDIUM
6.5 Mar 31

PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d

CVE-2026-27853 MEDIUM
5.9 Mar 31

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan

CVE-2018-14663 MEDIUM
5.9 Nov 26

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d

CVE-2026-24030 MEDIUM
5.3 Mar 31

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious

CVE-2026-24028 MEDIUM
5.3 Mar 31

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential

CVE-2026-33597 LOW
3.7 Apr 22

Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service

CVE-2026-33599 LOW
3.1 Apr 22

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB respon

CVE-2026-33596 LOW
3.1 Apr 22

dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti

CVE-2026-0396 LOW
3.1 Mar 31

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via

Vendor StatusVendor

Debian

dnsdist
Release Status Fixed Version Urgency
bullseye fixed (unfixed) end-of-life
bookworm fixed (unfixed) end-of-life
trixie vulnerable 1.9.10-1+deb13u1 -
forky vulnerable 2.0.2-1 -
sid fixed 2.0.3-1 -
(unstable) fixed 2.0.3-1 -

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-27854 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy