Skip to main content

DNSdist EUVDEUVD-2026-24943

| CVE-2026-33602 MEDIUM
Heap-based Buffer Overflow (CWE-122)
2026-04-22 security@open-xchange.com GHSA-3hg3-qp28-5p96
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 18:52 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24943
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 6.5

DescriptionCVE.org

A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.

AnalysisAI

DNSdist is vulnerable to denial of service via out-of-bounds write when processing crafted UDP responses from a rogue backend server. An attacker controlling a backend DNS server can send a specially crafted UDP response with a query ID set off-by-one from the maximum configured value, triggering memory corruption that crashes the DNS forwarder. The CVSS score of 6.5 reflects network attack vector with high complexity and absence of confidentiality impact, though availability and integrity are affected.

Technical ContextAI

DNSdist is a DNS load balancer and forwarding proxy that accepts queries from clients and distributes them to backend DNS servers. The vulnerability exists in the query ID tracking mechanism used to match responses from backends to corresponding client requests. When DNSdist receives a UDP response, it validates the response's query ID against a configured maximum range. The flaw occurs when a malicious backend sends a response with a query ID value that is off-by-one relative to the maximum allowed value, causing the application to perform an out-of-bounds write to memory. This is a classic buffer overflow condition (CWE classification not provided but consistent with bounds-checking failures) affecting DNS response handling. The attack requires network-level access to a backend server or ability to conduct man-in-the-middle attacks on backend connections.

RemediationAI

Patch DNSdist to the version specified in the Open-Xchange advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html. The fix addresses the query ID validation logic to prevent off-by-one errors leading to out-of-bounds writes. As a temporary compensating control pending patching, restrict network access to backend DNS servers to trusted, authenticated infrastructure only and implement network segmentation to prevent untrusted servers from reaching DNSdist. Additionally, monitor DNSdist process crashes and memory errors using operating system-level monitoring, as the out-of-bounds write typically results in detectable segmentation faults. Disable DNS forwarding to untrusted or public-facing backend servers until patched. Note that these controls may impact DNS service availability and should be implemented only if patching cannot be performed immediately.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-24943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy