Skip to main content

dnsdist EUVDEUVD-2026-24935

| CVE-2026-33596 LOW
Integer Overflow or Wraparound (CWE-190)
2026-04-22 security@open-xchange.com
3.1
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.1 LOW
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 18:50 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24935
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
LOW 3.1

DescriptionCVE.org

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.

AnalysisAI

dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely timed floods of queries routed to TCP-only or DNS over TLS backends. An adjacent network attacker with high timing precision can cause limited availability impact by desynchronizing the query-response correlation on affected backends, though exploitation requires favorable network conditions and careful query timing. This issue carries a low CVSS score (3.1) reflecting the high attack complexity and adjacency requirement.

Technical ContextAI

dnsdist is a DNS load balancer and distribution tool that routes queries to backend DNS servers. The vulnerability involves the internal query-response matching mechanism used by dnsdist when forwarding queries over TCP or DNS over TLS (DoT) protocols. The root cause relates to how dnsdist correlates outbound queries with received responses when backend connections operate in these protocols, which maintain persistent connections but require explicit matching of queries to responses. An attacker positioned on the network adjacency can exploit timing-dependent race conditions to induce misalignment between sent queries and received answers, causing responses to be associated with incorrect original queries.

RemediationAI

Upgrade dnsdist to the patched version specified in the PowerDNS advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html. If immediate patching is not possible, operators can reduce risk by implementing network-level controls to restrict access to dnsdist from untrusted adjacent networks, limiting concurrent query rates, or disabling TCP-only and DNS over TLS backend routes if they are not essential to operations. Note that disabling these backend protocols may reduce redundancy or encryption protections, so this trade-off should be evaluated against the organization's DNS resilience requirements. Prioritize patching for dnsdist instances that handle traffic from less-trusted network segments.

CVE-2017-7557 HIGH
8.8 Aug 22

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

CVE-2026-24029 MEDIUM
6.5 Mar 31

PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d

CVE-2026-27853 MEDIUM
5.9 Mar 31

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan

CVE-2018-14663 MEDIUM
5.9 Nov 26

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d

CVE-2026-24030 MEDIUM
5.3 Mar 31

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious

CVE-2026-24028 MEDIUM
5.3 Mar 31

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential

CVE-2026-27854 MEDIUM
4.8 Mar 31

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method

CVE-2026-33597 LOW
3.7 Apr 22

Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service

CVE-2026-33599 LOW
3.1 Apr 22

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB respon

CVE-2026-0396 LOW
3.1 Mar 31

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via

Share

EUVD-2026-24935 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy