Skip to main content

dnsdist EUVDEUVD-2026-39350

| CVE-2026-40211 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-25 security@open-xchange.com GHSA-8mqg-g8g6-fvw6
5.3
CVSS 3.1 · Vendor: open-xchange
Share

Severity by source

Vendor (open-xchange) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
7.5 HIGH

OOM-induced process crash constitutes complete availability loss (A:H); all other metrics align with the unauthenticated network vector.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (open-xchange).

CVSS VectorVendor: open-xchange

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 14:16 EUVD
Analysis Generated
Jun 25, 2026 - 13:32 vuln.today

DescriptionCVE.org

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

AnalysisAI

Denial of service in PowerDNS dnsdist's DNS over HTTP/3 (DoH3) handler allows unauthenticated remote attackers to exhaust server memory by opening high volumes of concurrent QUIC streams carrying crafted queries. Each crafted query triggers an exception that defers buffer deallocation until QUIC connection teardown rather than releasing memory promptly, enabling cumulative memory exhaustion across simultaneous streams. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed dnsdist DoH3 (QUIC) listener
Delivery
Establish QUIC connection to DoH3 endpoint
Exploit
Send crafted HTTP/3 DNS queries triggering exception
Execution
Repeat across many concurrent streams
Persist
Accumulated deferred buffers exhaust process memory
Impact
dnsdist crash or unresponsiveness (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the targeted dnsdist instance has the DoH3 (DNS over HTTP/3 over QUIC) listener explicitly configured and network-accessible - instances without DoH3 configured are entirely unaffected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 5.3 Medium vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) correctly reflects remote, unauthenticated exploitability with no interaction required, but the A:L (Low availability) rating likely understates realistic impact - memory exhaustion causing an out-of-memory condition typically results in complete process termination or severe unresponsiveness, which maps more accurately to A:H in practice. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker with network access to the dnsdist DoH3 listener establishes QUIC connections and opens a large number of concurrent HTTP/3 streams, transmitting crafted DNS queries designed to trigger the exception condition on each stream. Because each exception defers buffer release to connection close rather than request completion, buffers accumulate across all open streams; if the attacker sustains enough concurrent streams, available memory is exhausted and the dnsdist process crashes or becomes unresponsive, denying DNS resolution to all legitimate clients. …
Remediation Upgrade dnsdist to the patched version specified in the PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html - the exact fixed release version is not independently confirmed from available input data, so the advisory must be consulted for the precise target version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

EUVD-2026-39350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy