Main Vulnerability Database Vulnerabilities #VU135336

Improper Encoding or Escaping of Output in dnsdist - CVE-2026-40011

Published: June 25, 2026

Vulnerability identifier: #VU135336

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-40011

CWE-ID: CWE-116

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PowerDNS.COM B.V.

Affected software:
dnsdist

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass monitoring integrity.

The vulnerability exists due to improper output neutralization in the prometheus endpoint when processing crafted DNS queries that trigger dynamic block insertion via dynBlockRulesGroup():setSuffixMatchRule() or dynBlockRulesGroup():setSuffixMatchRuleFFI(). A remote attacker can send a large number of crafted DNS queries to bypass monitoring integrity.

The invalid output causes the prometheus endpoint to be rejected by the scraper until the dynamic block expires.

How to mitigate CVE-2026-40011

Install security update from vendor's website.

Sources

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html

Improper Encoding or Escaping of Output in dnsdist - CVE-2026-40011

Detailed vulnerability description

How to mitigate CVE-2026-40011

Sources

Please verify you're human