Skip to main content

dnsdist CVE-2026-33599

| EUVDEUVD-2026-24941 LOW
Out-of-bounds Read (CWE-125)
2026-04-22 security@open-xchange.com GHSA-8fg9-fg58-x78h
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 18:52 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24941
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
LOW 3.1

DescriptionCVE.org

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

AnalysisAI

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB response that causes a denial of service via availability impact when DDR is explicitly enabled through the autoUpgrade (Lua) or auto_upgrade (YAML) configuration options. The vulnerability requires adjacent network access and high complexity exploitation conditions, affecting only deployments that have manually enabled DDR functionality-a non-default configuration.

Technical ContextAI

dnsdist is a DNS load balancer and traffic distributor that supports RFC 9250 Discovery of Designated Resolvers (DDR), an upgrade mechanism allowing DNS clients to automatically detect and upgrade to encrypted DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) connections. The vulnerability exists in dnsdist's handling of SVCB (Service Binding) records returned during DDR upgrade requests. When a backend DNS server (or an attacker who can spoof backend responses on the network segment) returns a maliciously crafted SVCB response, the dnsdist resolver fails to properly validate or sanitize the response, resulting in availability degradation. The CWE classification is not specified in available data, but the impact pattern suggests an input validation or resource handling flaw in the DDR upgrade parsing logic. This only affects dnsdist instances where administrators have explicitly enabled DDR via newServer's autoUpgrade option (Lua configuration) or auto_upgrade setting (YAML configuration).

RemediationAI

Upgrade dnsdist to a patched version released by PowerDNS that addresses SVCB response validation. Exact fix version numbers are not provided in the available data-consult the PowerDNS advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html for the specific patched release. As an immediate compensating control for organizations unable to patch promptly, disable DDR upgrade functionality by removing or setting autoUpgrade to false (Lua) or auto_upgrade to false (YAML) in dnsdist configuration, which reverts to the default non-vulnerable state. This mitigation has no functional trade-off for standard DNS load-balancing operations, though it prevents the automatic protocol upgrade capability for DDR-aware clients. Additionally, implement network access controls to restrict which backend DNS servers dnsdist accepts responses from, limiting the attack surface to trusted infrastructure only.

CVE-2017-7557 HIGH
8.8 Aug 22

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

CVE-2026-24029 MEDIUM
6.5 Mar 31

PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d

CVE-2026-27853 MEDIUM
5.9 Mar 31

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan

CVE-2018-14663 MEDIUM
5.9 Nov 26

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d

CVE-2026-24030 MEDIUM
5.3 Mar 31

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious

CVE-2026-24028 MEDIUM
5.3 Mar 31

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential

CVE-2026-27854 MEDIUM
4.8 Mar 31

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method

CVE-2026-33597 LOW
3.7 Apr 22

Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service

CVE-2026-33596 LOW
3.1 Apr 22

dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti

CVE-2026-0396 LOW
3.1 Mar 31

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via

Share

CVE-2026-33599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy