dnsdist CVE-2026-33599

| EUVD-2026-24941 LOW
Out-of-bounds Read (CWE-125)
2026-04-22 [email protected] GHSA-8fg9-fg58-x78h
Information Disclosure Buffer Overflow
3.1
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today

DescriptionNVD

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

AnalysisAI

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB response that causes a denial of service via availability impact when DDR is explicitly enabled through the autoUpgrade (Lua) or auto_upgrade (YAML) configuration options. The vulnerability requires adjacent network access and high complexity exploitation conditions, affecting only deployments that have manually enabled DDR functionality-a non-default configuration.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-33599 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy