Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable with no authentication; AC:H for required OPT craft precision; integrity limited to filter bypass reaching backend; no confidentiality or availability impact.
Primary rating from Vendor (open-xchange).
CVSS VectorVendor: open-xchange
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
AnalysisAI
EDNS OPT filter bypass in DNSdist exposes backend DNS servers to EDNS extension options that DNSdist was configured to suppress. The flaw is triggered specifically by the EDNS Client Subnet (ECS) insertion code path, which silently normalizes a crafted malformed OPT record - one that evaded DNSdist's filter - into a syntactically valid OPT record forwarded to the upstream backend. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target DNSdist instance has EDNS Client Subnet insertion explicitly enabled - this is the specific feature that triggers the filter bypass during OPT record reconstruction. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 3.7 (Low) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the threat profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a crafted DNS query to a DNSdist instance containing a specially structured EDNS OPT record - malformed or edge-case enough to be silently dropped by DNSdist's configured filter rules, yet structured such that the ECS insertion code path reconstructs it into a valid OPT record carrying the originally-filtered EDNS options. The upstream backend DNS server receives the reconstructed query and processes the suppressed options, potentially logging or acting on client subnet data the operator intended to withhold. … |
| Remediation | Consult the official PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html for the patched DNSdist release and upgrade instructions; the exact fixed version is not confirmed in the available CVE data and should not be assumed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-115 – Misinterpretation of Input
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39351
GHSA-q4qq-c3qm-82jj