SB20260625152 - Multiple vulnerabilities in PowerDNS DNSdist
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-40011)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass monitoring integrity.
The vulnerability exists due to improper output neutralization in the prometheus endpoint when processing crafted DNS queries that trigger dynamic block insertion via dynBlockRulesGroup():setSuffixMatchRule() or dynBlockRulesGroup():setSuffixMatchRuleFFI(). A remote attacker can send a large number of crafted DNS queries to bypass monitoring integrity.
The invalid output causes the prometheus endpoint to be rejected by the scraper until the dynamic block expires.
2) Misinterpretation of Input (CVE-ID: CVE-2026-42004)
CWE-ID: CWE-115 - Misinterpretation of Input
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to bypass security rules.
The vulnerability exists due to improper neutralization of EDNS options in EDNS option filtering when processing crafted DNS queries with a crafted EDNS OPT record while EDNS Client Subnet is inserted. A remote attacker can send a crafted EDNS OPT record to bypass security rules.
The backend can receive EDNS options that were not filtered by DNSdist.
3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-42005)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote client to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in the internal web server when handling crafted HTTP queries. A remote client can send a crafted HTTP request to cause a denial of service.
The issue can only be triggered if the internal web server is enabled, and the internal web server is disabled by default.
4) Incorrect Control Flow Scoping (CVE-ID: CVE-2026-40208)
CWE-ID: CWE-705 - Incorrect Control Flow Scoping
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect handling of invalid frames in the DoH3 query processing logic when processing DoH3 GET queries with an invalid DATA frame. A remote attacker can send crafted DoH3 GET queries with an invalid DATA frame to cause a denial of service.
The issue can delay the processing of DoH3 queries.
5) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2026-40209)
CWE-ID: CWE-772 - Missing Release of Resource after Effective Lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to missing release of resources after effective lifetime in backend TCP connection handling when processing crafted IXFR queries. A remote attacker can send crafted IXFR queries to cause a denial of service.
Outgoing TCP connections to the backend can remain stuck until a timeout occurs, which can exhaust concurrent backend connections or file descriptors.
6) Buffer over-read (CVE-ID: CVE-2026-40210)
CWE-ID: CWE-126 - Buffer over-read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.
The vulnerability exists due to out-of-bounds read in SetMacAddrAction when processing DNS queries while SetMacAddrAction is used. A remote attacker can send DNS queries to disclose sensitive information or cause a denial of service.
The issue can result in uninitialized memory being sent over the network or a crash.
7) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-40211)
CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in DoH3 stream handling when processing crafted DNS over HTTP/3 queries that trigger an exception. A remote attacker can send crafted DNS over HTTP/3 queries to cause a denial of service.
The affected buffer is freed only at the end of the QUIC connection, and some setups may allow enough concurrent DoH3 streams to trigger an out-of-memory condition.
Remediation
Install update from vendor's website.