Skip to main content

Maradns EUVDEUVD-2026-22839

| CVE-2026-40719 HIGH
Always-Incorrect Control Flow Implementation (CWE-670)
2026-04-15 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 07:21 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 07:15 euvd
EUVD-2026-22839
Analysis Generated
Apr 15, 2026 - 07:15 vuln.today
CVE Published
Apr 15, 2026 - 06:23 nvd
HIGH 7.5

DescriptionCVE.org

Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.

AnalysisAI

Connection slot exhaustion in Deadwood (MaraDNS 3.5.0036) allows remote unauthenticated attackers to cause denial of service by triggering lookups for zones with unresolvable authoritative nameserver addresses. This resource exhaustion vulnerability (CWE-670) has CVSS 7.5 severity and EPSS data indicates low exploitation probability. No public exploit identified at time of analysis, though the attack mechanism appears straightforward given the network-accessible attack vector with low complexity.

Technical ContextAI

Deadwood is the recursive DNS resolver component of MaraDNS. The vulnerability stems from improper resource management (CWE-670 - Always-Incorrect Control Flow Implementation) when processing DNS queries for zones whose authoritative nameservers cannot be resolved. When Deadwood attempts to recursively resolve such queries, it allocates connection slots to contact the authoritative nameservers. If these nameserver addresses are unresolvable, the resolver fails to properly release these connection resources, leading to connection slot exhaustion. This represents a classic resource leak condition where finite connection resources are consumed without proper cleanup on error paths. The CPE identifier (cpe:2.3:a:maradns:maradns:*:*:*:*:*:*:*:*) indicates the vulnerability affects the MaraDNS product suite, specifically version 3.5.0036 of the Deadwood resolver component.

RemediationAI

Update MaraDNS/Deadwood to a patched version as documented in the upstream security advisory at https://github.com/samboy/MaraDNS/security/advisories/GHSA-cfc6-vhrv-62cj and detailed in the project changelog at https://maradns.samiam.org/changelog.html. Organizations should review these resources for the specific fixed version addressing CVE-2026-40719. As interim mitigation, implement rate limiting on incoming DNS queries, restrict recursive resolver access to trusted networks only using firewall rules or ACLs, and monitor connection slot utilization for abnormal exhaustion patterns. Consider deploying multiple DNS resolver instances with load balancing to increase resilience against resource exhaustion attacks. For non-public recursive resolvers, ensure access is limited to internal networks only, reducing attack surface. Implement DNS query logging to detect potential exploitation attempts characterized by repeated queries for zones with unresolvable authoritative nameservers.

Share

EUVD-2026-22839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy