Description
An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service and Potential Information Disclosure
Action: Patch Now
AI Analysis

Impact

An attacker who sends a crafted DNS response can cause DNSdist to perform an out‑of‑bounds read when custom Lua code calls newDNSPacketOverlay to parse DNS packets. The overflow may trigger a process crash, resulting in a denial of service, or it can read data from unrelated memory, leading to information disclosure.

Affected Systems

The vulnerability affects PowerDNS DNSdist whenever custom Lua code uses the newDNSPacketOverlay function. Version information is not provided in the advisory, so any deployment that incorporates this Lua feature may be vulnerable. Administrators should review the release notes of DNSdist for fixed versions or consult the PowerDNS advisory.

Risk and Exploitability

Based on the description, it is inferred that the attacker can deliver a malicious DNS response to the DNSdist instance over the network, without needing authentication or elevated privileges. The CVSS score of 5.3 places the flaw in the medium severity range. EpS S is not available and the flaw is not listed in the CISA KEV catalog, suggesting limited reported exploitation. Nevertheless, a successful exploit can crash the service or leak memory contents, making the risk moderate and warranting prompt mitigation.

Generated by OpenCVE AI on March 31, 2026 at 16:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced in the PowerDNS advisory for DNSdist 2026‑02, which updates or removes the vulnerable Lua parsing call.
  • Verify the DNSdist version in use and confirm it contains the fix; if missing, upgrade to the latest release.
  • If the patch cannot be applied immediately, eliminate the vulnerable code path by disabling or removing any custom Lua scripts that invoke newDNSPacketOverlay.
  • Restrict inbound DNS response traffic with firewalls or ACLs so that only responses from trusted upstream servers can reach the DNSdist instance.
  • Monitor server logs for crashes or abnormal memory accesses to detect attempted exploitation.

Generated by OpenCVE AI on March 31, 2026 at 16:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.
Title Out-of-bounds read when parsing DNS packets via Lua
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-31T13:18:41.769Z

Reserved: 2026-01-20T14:56:25.872Z

Link: CVE-2026-24028

cve-icon Vulnrichment

Updated: 2026-03-31T13:17:57.216Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T12:16:27.487

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-24028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:44Z

Weaknesses