SB2026051408 - Debian update for dnsdist

Description

This security bulletin contains information about 18 vulnerabilities.

1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2026-0396)

The vulnerability allows a remote attacker to inject HTML content into the internal web dashboard.

The vulnerability exists due to improper neutralization of input during web page generation in the internal web dashboard when processing crafted DNS queries triggering domain-based dynamic rules. A remote attacker can send crafted DNS queries to inject HTML content into the internal web dashboard.

User interaction is required for the injected content to be viewed, and the issue occurs when domain-based dynamic rules have been enabled via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

2) Overly permissive cross-domain whitelist (CVE-ID: CVE-2026-0397)

The vulnerability allows a remote attacker to disclose information about the running configuration from the dashboard.

The vulnerability exists due to a cross-origin resource sharing policy misconfiguration in the internal webserver dashboard when an administrator logged to the dashboard visits a malicious website. A remote attacker can trick the administrator into visiting a malicious website to disclose information about the running configuration from the dashboard.

The issue is present only when the internal webserver is enabled.

3) Out-of-bounds read (CVE-ID: CVE-2026-24028)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds read in DNS packet parsing via newDNSPacketOverlay in custom Lua code when parsing crafted DNS response packets. A remote attacker can send a crafted DNS response packet to cause a denial of service.

The issue occurs when custom Lua code uses newDNSPacketOverlay to parse DNS packets, and the out-of-bounds read might also access unrelated memory.

4) Incorrect authorization (CVE-ID: CVE-2026-24029)

The vulnerability allows a remote attacker to bypass access controls for DNS over HTTPS queries.

The vulnerability exists due to improper access control in the DNS over HTTPS frontend using the nghttp2 provider when the early_acl_drop option is disabled. A remote attacker can send DoH queries to bypass access controls for DNS over HTTPS queries.

The issue occurs only on DNS over HTTPS frontends using the nghttp2 provider with early_acl_drop disabled.

5) Uncontrolled Memory Allocation (CVE-ID: CVE-2026-24030)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled memory allocation in DNS over QUIC and DNS over HTTP/3 payload processing when handling DoQ or DoH3 queries. A remote attacker can send DoQ or DoH3 queries to cause a denial of service.

In some environments the condition results in an exception and connection closure, but in others it might lead to an out-of-memory state and process termination.

6) Out-of-bounds write (CVE-ID: CVE-2026-27853)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to an out-of-bounds write in packet rewriting via DNSQuestion:changeName or DNSResponse:changeName in custom Lua code when processing crafted DNS responses. A remote attacker can send crafted DNS responses to cause a denial of service.

The issue occurs in very specific setups using these custom Lua methods, where a rewritten packet can become larger than the initial response and exceed 65535 bytes.

7) Use-after-free (CVE-ID: CVE-2026-27854)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a use-after-free in EDNS option parsing via DNSQuestion:getEDNSOptions in custom Lua code when processing crafted DNS queries. A remote attacker can send crafted DNS queries to cause a denial of service.

The issue occurs in very specific setups where custom Lua code uses DNSQuestion:getEDNSOptions, and the vulnerable reference can point to a modified version of the DNS packet.

8) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33254)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in DoQ and DoH3 connection handling when opening a large number of connections. A remote attacker can open a large number of DoQ or DoH3 connections to cause a denial of service.

DoQ and DoH3 are disabled by default.

9) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33257)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in internal web server when handling crafted HTTP requests. A remote attacker can send a crafted HTTP request to cause a denial of service.

Note, the internal web server is disabled by default.

10) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33260)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in internal web server when handling crafted HTTP requests. A remote attacker can send a crafted HTTP request to cause a denial of service.

Note. the internal web server is disabled by default.

11) Division by zero (CVE-ID: CVE-2026-33593)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to divide-by-zero in DNSCrypt query processing when parsing a crafted DNSCrypt query. A remote attacker can send a crafted DNSCrypt query to cause a denial of service.

12) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33594)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in outgoing DoH handling when routing many queries to an overloaded DoH backend. A remote attacker can generate many queries that are routed to an overloaded DoH backend to cause a denial of service.

Queries accumulate in a buffer that is not released until the end of the connection.

13) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33595)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in DoQ and DoH3 connection handling when generating many error responses over a single connection. A remote attacker can generate many error responses over a single DoQ or DoH3 connection to cause a denial of service.

Resources are not properly released until the end of the connection.

14) Integer overflow (CVE-ID: CVE-2026-33596)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in TCP backend stream id handling when processing perfectly timed queries routed to a TCP-only or DoT backend. A remote attacker can send a flood of perfectly timed queries to cause a denial of service.

Exploitation requires queries to be routed to a TCP-only or DNS over TLS backend.

15) Input validation error (CVE-ID: CVE-2026-33597)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the PRSD detection algorithm when processing a crafted query containing an invalid DNS label. A remote attacker can send a crafted query to cause a denial of service.

Exploitation affects PRSD detection executed via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

16) Out-of-bounds read (CVE-ID: CVE-2026-33598)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in packet cache inspection via Lua when custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a cached crafted response. A remote attacker can supply a crafted response that is cached to disclose sensitive information.

Exploitation requires custom Lua code to call getDomainListByAddress() or getAddressListByDomain() on a packet cache.

17) Out-of-bounds read (CVE-ID: CVE-2026-33599)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in service discovery when processing crafted SVCB responses. A remote attacker can send a crafted SVCB response to cause a denial of service.

Exploitation requires DDR upgrade to be enabled via the autoUpgrade or auto_upgrade settings.

18) Out-of-bounds write (CVE-ID: CVE-2026-33602)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in UDP response processing when processing crafted udp responses from a backend. A remote attacker can send a crafted udp response with a query id off by one relative to the maximum configured value to cause a denial of service.

Exploitation requires a rogue backend.

Remediation

Install update from vendor's website.

References

• https://lists.debian.org/debian-security-announce/2026/msg00145.html