Skip to main content

dnsdist CVE-2026-33593

| EUVDEUVD-2026-24929 HIGH
Divide By Zero (CWE-369)
2026-04-22 security@open-xchange.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 18:49 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Re-analysis Queued
Apr 22, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 14:59 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24929
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.5

DescriptionCVE.org

A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.

AnalysisAI

Remote denial of service in dnsdist allows unauthenticated attackers to crash the DNS load balancer by sending specially crafted DNSCrypt queries that trigger a divide-by-zero error. The vulnerability requires no authentication, low attack complexity, and directly impacts service availability for all DNS traffic routed through affected dnsdist instances. Organizations using DNSCrypt protocol support in dnsdist face immediate risk of service disruption from remote attackers.

Technical ContextAI

dnsdist is PowerDNS's high-performance DNS load balancer and traffic router. DNSCrypt is an encrypted DNS protocol that wraps DNS queries in authenticated encryption to prevent eavesdropping and manipulation. This vulnerability exists in dnsdist's DNSCrypt query parsing logic, where improper validation of crafted query parameters leads to a division-by-zero operation. The divide-by-zero error is a class of arithmetic exception that causes immediate process termination in languages like C/C++ (typical for DNS infrastructure software) when the divisor operand is not validated before arithmetic operations. The CWE classification is not provided, but this would typically fall under CWE-369 (Divide By Zero) or related input validation failures (CWE-20). The vulnerability specifically affects the DNSCrypt protocol handler, meaning only deployments with DNSCrypt enabled are vulnerable.

RemediationAI

Apply the vendor-released patch referenced in PowerDNS security advisory 2026-04 available at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html. The advisory should specify fixed dnsdist versions and upgrade procedures. Until patching is complete, disable DNSCrypt protocol support in dnsdist configuration if this feature is not operationally required - this completely eliminates the attack surface since the vulnerability is specific to DNSCrypt query parsing. For environments requiring DNSCrypt, implement upstream query validation or rate limiting on DNS traffic sources to reduce attack surface and enable faster detection of exploitation attempts through monitoring for repeated dnsdist process crashes. Deploy dnsdist behind load balancers with automatic failover and health checking to minimize service disruption if exploitation occurs. Note that disabling DNSCrypt affects clients expecting encrypted DNS, requiring communication with end users or migration to alternative encrypted DNS protocols like DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT).

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-33593 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy