Skip to main content

dnsdist EUVDEUVD-2026-24931

| CVE-2026-33594 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 security@open-xchange.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 16:48 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24931
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.3

DescriptionCVE.org

A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

AnalysisAI

dnsdist can be forced into excessive memory allocation when a client generates high volumes of DNS queries routed to an overloaded DNS-over-HTTPS (DoH) backend, causing queries to accumulate in an unbounded buffer that persists until connection closure. This denial-of-service condition affects dnsdist deployments with DoH backends under load, allowing unauthenticated remote attackers to exhaust server memory with sustained query traffic.

Technical ContextAI

dnsdist is a DNS load balancer and distributor that forwards DNS queries to backend resolvers, including DNS-over-HTTPS (DoH) endpoints. The vulnerability resides in the DoH backend routing logic, where incoming client queries are buffered while awaiting responses from the overloaded DoH server. The root cause is improper memory management: when the DoH backend becomes saturated, query buffers are not released incrementally but instead accumulate until the client connection terminates. This violates the principle of bounded resource allocation in network services. The issue is exacerbated when clients maintain persistent connections and repeat queries; each query adds to an unbounded accumulator rather than being discarded or rate-limited. CWE classification is not provided by the vendor, but this pattern aligns with CWE-400 (Uncontrolled Resource Consumption) or CWE-770 (Allocation of Resources Without Limits or Throttling).

RemediationAI

Apply the patched version of dnsdist released by PowerDNS in response to advisory 2026-04, available at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html. The patch implements bounded buffer allocation and query discarding for overloaded DoH backends. Until patching is feasible, implement rate-limiting on inbound DNS queries using dnsdist's query rate-limiting rules to cap queries from individual clients or subnets, reducing buffer accumulation. Additionally, configure backend health checks and failover to alternative DoH servers to prevent sustained overload conditions. Monitor memory usage on dnsdist instances with DoH backends and set alerts to trigger on sustained memory growth above baseline; consider implementing memory limits via operating system controls (cgroups, ulimit) as a fail-safe. These mitigations reduce attack impact but do not eliminate the root cause and should be treated as temporary measures pending patch deployment.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-24931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy