Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.
AnalysisAI
Connection slot exhaustion in Deadwood (MaraDNS 3.5.0036) allows remote unauthenticated attackers to cause denial of service by triggering lookups for zones with unresolvable authoritative nameserver addresses. This resource exhaustion vulnerability (CWE-670) has CVSS 7.5 severity and EPSS data indicates low exploitation probability. No public exploit identified at time of analysis, though the attack mechanism appears straightforward given the network-accessible attack vector with low complexity.
Technical ContextAI
Deadwood is the recursive DNS resolver component of MaraDNS. The vulnerability stems from improper resource management (CWE-670 - Always-Incorrect Control Flow Implementation) when processing DNS queries for zones whose authoritative nameservers cannot be resolved. When Deadwood attempts to recursively resolve such queries, it allocates connection slots to contact the authoritative nameservers. If these nameserver addresses are unresolvable, the resolver fails to properly release these connection resources, leading to connection slot exhaustion. This represents a classic resource leak condition where finite connection resources are consumed without proper cleanup on error paths. The CPE identifier (cpe:2.3:a:maradns:maradns:*:*:*:*:*:*:*:*) indicates the vulnerability affects the MaraDNS product suite, specifically version 3.5.0036 of the Deadwood resolver component.
RemediationAI
Update MaraDNS/Deadwood to a patched version as documented in the upstream security advisory at https://github.com/samboy/MaraDNS/security/advisories/GHSA-cfc6-vhrv-62cj and detailed in the project changelog at https://maradns.samiam.org/changelog.html. Organizations should review these resources for the specific fixed version addressing CVE-2026-40719. As interim mitigation, implement rate limiting on incoming DNS queries, restrict recursive resolver access to trusted networks only using firewall rules or ACLs, and monitor connection slot utilization for abnormal exhaustion patterns. Consider deploying multiple DNS resolver instances with load balancing to increase resilience against resource exhaustion attacks. For non-public recursive resolvers, ensure access is limited to internal networks only, reducing attack surface. Implement DNS query logging to detect potential exploitation attempts characterized by repeated queries for zones with unresolvable authoritative nameservers.
MaraDNS before 1.3.07.12 and 1.4.x before 1.4.08 computes hash values for DNS data without restricting the ability to tr
MaraDNS is open-source software that implements the Domain Name System (DNS). Rated high severity (CVSS 7.5), this vulne
An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allows variant V1 of unintended domain name resolution
The resolver in MaraDNS before 1.3.0.7.15 and 1.4.x before 1.4.12 overwrites cached server names and TTL values in NS re
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22839