ALT-PU-2026-6679-2

CVE-2026-33254

HIGH7.5

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.

Published: 2026-04-22Modified: 2026-04-27

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33257

HIGH7.5

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

Published: 2026-04-22Modified: 2026-04-27

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-33260

HIGH7.5

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

Published: 2026-04-22Modified: 2026-04-27

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2026-33593

HIGH7.5

A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33594

HIGH7.5

A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33595

HIGH7.5

A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33596

MEDIUM6.5

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33597

HIGH7.5

PRSD detection denial of service

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33598

CRITICAL9.1

A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xCRITICAL 9.1

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33599

HIGH8.1

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xHIGH 8.1

CVSS:3.x/CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

CVE-2026-33602

HIGH8.2

A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.

Published: 2026-04-22Modified: 2026-04-24

CVSS 3.xHIGH 8.2

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html

Package update dnsdist in branch c10f2

Closed issues (11)

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.

A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.

PRSD detection denial of service

A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.