Skip to main content

dnsdist CVE-2026-40208

| EUVDEUVD-2026-39347 LOW
Incorrect Control Flow Scoping (CWE-705)
2026-06-25 security@open-xchange.com GHSA-2cpw-vgr2-pw3h
3.7
CVSS 3.1 · Vendor: open-xchange

Severity by source

Vendor (open-xchange) PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

Network-delivered with no auth needed, but AC:H because DoH3 must be enabled and frames must be precisely malformed; only low availability impact confirmed.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (open-xchange).

CVSS VectorVendor: open-xchange

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 14:16 EUVD
Analysis Generated
Jun 25, 2026 - 13:31 vuln.today

DescriptionCVE.org

An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.

AnalysisAI

Query processing delays in dnsdist's DoH3 (DNS over HTTPS/3) implementation allow unauthenticated remote attackers to partially degrade DNS resolution availability by sending crafted GET requests containing invalid HTTP/3 DATA frames. Affected deployments are limited to those with DoH3 explicitly enabled; the CVSS score of 3.7 reflects high attack complexity and only a low availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify dnsdist instance with DoH3 enabled
Delivery
Establish QUIC connection to DoH3 listener
Exploit
Send GET query with crafted invalid DATA frame
Execution
Trigger slow error-handling path in dnsdist
Impact
Delay processing of legitimate DoH3 queries

Vulnerability AssessmentAI

Exploitation DoH3 (DNS over HTTPS/3, using the QUIC transport) must be explicitly configured and enabled on the target dnsdist instance - this is not a default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.7 base score (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) signals a low-priority finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a dnsdist instance that has DoH3 enabled sends a stream of DoH3 GET queries over QUIC, each embedding a deliberately malformed HTTP/3 DATA frame. The dnsdist process enters a slow error-handling path for each such frame, accumulating processing delay that causes legitimate DoH3 queries to experience elevated latency or timeouts. …
Remediation Consult the official PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html to obtain the patched dnsdist release version and apply the vendor-supplied upgrade - an exact fix version was not included in the available intelligence data and cannot be stated here without risking an invented version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy