Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
7DescriptionCVE.org
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
AnalysisAI
Remote denial of service in dnsdist allows unauthenticated attackers to crash the DNS load balancer by sending specially crafted DNSCrypt queries that trigger a divide-by-zero error. The vulnerability requires no authentication, low attack complexity, and directly impacts service availability for all DNS traffic routed through affected dnsdist instances. Organizations using DNSCrypt protocol support in dnsdist face immediate risk of service disruption from remote attackers.
Technical ContextAI
dnsdist is PowerDNS's high-performance DNS load balancer and traffic router. DNSCrypt is an encrypted DNS protocol that wraps DNS queries in authenticated encryption to prevent eavesdropping and manipulation. This vulnerability exists in dnsdist's DNSCrypt query parsing logic, where improper validation of crafted query parameters leads to a division-by-zero operation. The divide-by-zero error is a class of arithmetic exception that causes immediate process termination in languages like C/C++ (typical for DNS infrastructure software) when the divisor operand is not validated before arithmetic operations. The CWE classification is not provided, but this would typically fall under CWE-369 (Divide By Zero) or related input validation failures (CWE-20). The vulnerability specifically affects the DNSCrypt protocol handler, meaning only deployments with DNSCrypt enabled are vulnerable.
RemediationAI
Apply the vendor-released patch referenced in PowerDNS security advisory 2026-04 available at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html. The advisory should specify fixed dnsdist versions and upgrade procedures. Until patching is complete, disable DNSCrypt protocol support in dnsdist configuration if this feature is not operationally required - this completely eliminates the attack surface since the vulnerability is specific to DNSCrypt query parsing. For environments requiring DNSCrypt, implement upstream query validation or rate limiting on DNS traffic sources to reduce attack surface and enable faster detection of exploitation attempts through monitoring for repeated dnsdist process crashes. Deploy dnsdist behind load balancers with automatic failover and health checking to minimize service disruption if exploitation occurs. Note that disabling DNSCrypt affects clients expecting encrypted DNS, requiring communication with end users or migration to alternative encrypted DNS protocols like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).
Same weakness CWE-369 – Divide By Zero
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE CaaS Platform 4.0 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP1-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP2-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24929