Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.
AnalysisAI
dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB response that causes a denial of service via availability impact when DDR is explicitly enabled through the autoUpgrade (Lua) or auto_upgrade (YAML) configuration options. The vulnerability requires adjacent network access and high complexity exploitation conditions, affecting only deployments that have manually enabled DDR functionality-a non-default configuration.
Technical ContextAI
dnsdist is a DNS load balancer and traffic distributor that supports RFC 9250 Discovery of Designated Resolvers (DDR), an upgrade mechanism allowing DNS clients to automatically detect and upgrade to encrypted DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) connections. The vulnerability exists in dnsdist's handling of SVCB (Service Binding) records returned during DDR upgrade requests. When a backend DNS server (or an attacker who can spoof backend responses on the network segment) returns a maliciously crafted SVCB response, the dnsdist resolver fails to properly validate or sanitize the response, resulting in availability degradation. The CWE classification is not specified in available data, but the impact pattern suggests an input validation or resource handling flaw in the DDR upgrade parsing logic. This only affects dnsdist instances where administrators have explicitly enabled DDR via newServer's autoUpgrade option (Lua configuration) or auto_upgrade setting (YAML configuration).
RemediationAI
Upgrade dnsdist to a patched version released by PowerDNS that addresses SVCB response validation. Exact fix version numbers are not provided in the available data-consult the PowerDNS advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html for the specific patched release. As an immediate compensating control for organizations unable to patch promptly, disable DDR upgrade functionality by removing or setting autoUpgrade to false (Lua) or auto_upgrade to false (YAML) in dnsdist configuration, which reverts to the default non-vulnerable state. This mitigation has no functional trade-off for standard DNS load-balancing operations, though it prevents the automatic protocol upgrade capability for DDR-aware clients. Additionally, implement network access controls to restrict which backend DNS servers dnsdist accepts responses from, limiting the attack surface to trusted infrastructure only.
dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.
PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d
DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan
An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d
Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious
Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential
DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method
Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service
dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti
HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24941
GHSA-8fg9-fg58-x78h