Description
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
Published: 2026-03-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

DNSdist, a DNS load balancer, contains a flaw that allows an attacker to trigger an unbounded memory allocation when processing DNS packets over QUIC or HTTP/3. The resulting excessive memory usage can exhaust system resources and cause the service to crash or enter an out‑of‑memory state. The weakness is classified as CWE‑789, which involves improper handling of memory allocation sizes.

Affected Systems

The vulnerable component is DNSdist from PowerDNS. No specific product versions are listed in the advisory, so all deployed installations of DNSdist should be considered potentially affected until the vendor provides a precise version range.

Risk and Exploitability

The problem has a CVSS score of 5.3, indicating moderate severity. While a formal exploit probability metric is not provided, the vulnerability can be triggered remotely by carefully crafted DoQ or DoH3 traffic. If the target system has sufficient memory, the failure may be limited to an exception and packet rejection; however, in other configurations the allocation may bring the host down, resulting in a denial of service. The vulnerability is not listed in CISA's KEV catalog, but the potential impact warrants immediate attention.

Generated by OpenCVE AI on March 31, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review the official PowerDNS DNSdist advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for the latest guidance.
  • Download and install the patched DNSdist release that addresses the memory allocation issue.
  • Restart the DNSdist service after applying the patch and confirm normal operation.

Generated by OpenCVE AI on March 31, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-789
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
Title Unbounded memory allocation for DoQ and DoH3
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-03-31T13:14:57.345Z

Reserved: 2026-01-20T14:56:25.872Z

Link: CVE-2026-24030

cve-icon Vulnrichment

Updated: 2026-03-31T13:14:48.598Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T12:16:27.770

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-24030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:43Z

Weaknesses