Skip to main content

DNSdist EUVDEUVD-2026-24927

| CVE-2026-33254 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 security@open-xchange.com GHSA-wgv5-fpv8-m4jc
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 16:58 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24927
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.3

DescriptionCVE.org

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.

AnalysisAI

DNSdist allows remote attackers to create unlimited concurrent DoQ (DNS over QUIC) or DoH3 (DNS over HTTPS/3) connections, triggering unbounded memory allocation and denial of service. The vulnerability affects configurations where these protocols are explicitly enabled, as both are disabled by default. No authentication is required for exploitation, and CVSS 5.3 (AC:L, AV:N) indicates straightforward network-based triggering under default conditions.

Technical ContextAI

DNSdist is an open-source DNS load balancer and traffic policy tool that supports multiple DNS transport protocols. DoQ (DNS over QUIC, RFC 9250) and DoH3 (DNS over HTTPS/3) are modern encrypted DNS transports built on UDP and QUIC/HTTP/3 respectively. When these protocols are enabled in DNSdist, the application lacks connection pooling or memory limits for concurrent sessions, allowing an attacker to exhaust server memory by opening many simultaneous connections without sending or completing DNS queries. The root cause is improper resource management during connection establishment in the affected protocol handlers, classified under improper resource validation rather than a specific CWE but conceptually related to CWE-770 (Allocation of Resources Without Limits or Throttling).

RemediationAI

Upgrade DNSdist to the patched version specified in the PowerDNS advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html. If patching cannot be immediately applied, immediately disable DoQ and DoH3 in the DNSdist configuration (e.g., comment out or remove 'addDOQLocal' and 'addDOH3Local' directives and restart the service) - this eliminates the attack surface entirely since both protocols are non-essential for standard DNS service. If DoQ/DoH3 functionality is required, implement rate limiting at the network layer (use firewall or load balancer rules to limit new connection rates from any single source) and configure OS-level socket limits (ulimit -n) and DNSdist resource quotas if available; note that rate limiting is a temporary mitigation and does not address the underlying memory leak, only slows exploitation.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-24927 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy