SB20260424302 - SUSE update for dnsdist
Published: April 24, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 secuirty vulnerabilities.
1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-0396)
The vulnerability allows a remote attacker to inject HTML content into the internal web dashboard.
The vulnerability exists due to improper neutralization of input during web page generation in the internal web dashboard when processing crafted DNS queries triggering domain-based dynamic rules. A remote attacker can send crafted DNS queries to inject HTML content into the internal web dashboard.
User interaction is required for the injected content to be viewed, and the issue occurs when domain-based dynamic rules have been enabled via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
2) Overly permissive cross-domain whitelist (CVE-ID: CVE-2026-0397)
The vulnerability allows a remote attacker to disclose information about the running configuration from the dashboard.
The vulnerability exists due to a cross-origin resource sharing policy misconfiguration in the internal webserver dashboard when an administrator logged to the dashboard visits a malicious website. A remote attacker can trick the administrator into visiting a malicious website to disclose information about the running configuration from the dashboard.
The issue is present only when the internal webserver is enabled.
3) Out-of-bounds read (CVE-ID: CVE-2026-24028)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds read in DNS packet parsing via newDNSPacketOverlay in custom Lua code when parsing crafted DNS response packets. A remote attacker can send a crafted DNS response packet to cause a denial of service.
The issue occurs when custom Lua code uses newDNSPacketOverlay to parse DNS packets, and the out-of-bounds read might also access unrelated memory.
4) Incorrect authorization (CVE-ID: CVE-2026-24029)
The vulnerability allows a remote attacker to bypass access controls for DNS over HTTPS queries.
The vulnerability exists due to improper access control in the DNS over HTTPS frontend using the nghttp2 provider when the early_acl_drop option is disabled. A remote attacker can send DoH queries to bypass access controls for DNS over HTTPS queries.
The issue occurs only on DNS over HTTPS frontends using the nghttp2 provider with early_acl_drop disabled.
5) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-24030)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled memory allocation in DNS over QUIC and DNS over HTTP/3 payload processing when handling DoQ or DoH3 queries. A remote attacker can send DoQ or DoH3 queries to cause a denial of service.
In some environments the condition results in an exception and connection closure, but in others it might lead to an out-of-memory state and process termination.
6) Out-of-bounds write (CVE-ID: CVE-2026-27853)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to an out-of-bounds write in packet rewriting via DNSQuestion:changeName or DNSResponse:changeName in custom Lua code when processing crafted DNS responses. A remote attacker can send crafted DNS responses to cause a denial of service.
The issue occurs in very specific setups using these custom Lua methods, where a rewritten packet can become larger than the initial response and exceed 65535 bytes.
7) Use-after-free (CVE-ID: CVE-2026-27854)
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a use-after-free in EDNS option parsing via DNSQuestion:getEDNSOptions in custom Lua code when processing crafted DNS queries. A remote attacker can send crafted DNS queries to cause a denial of service.
The issue occurs in very specific setups where custom Lua code uses DNSQuestion:getEDNSOptions, and the vulnerable reference can point to a modified version of the DNS packet.
Remediation
Install update from vendor's website.