CVE-2026-24030 - Vulnerability Details

- Unbounded memory allocation for DoQ and DoH3

Description

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

Published: 2026-03-31

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An attacker can send specially crafted DNS over QUIC or DNS over HTTP/3 payloads to DNSdist, causing the server to allocate an unbounded amount of memory. The resulting memory exhaustion may trigger an exception that closes the connection, but in environments with ample memory the process can be killed by the operating system or the system may enter an out‑of‑memory state, effectively taking the DNS service offline. The weakness is a classic unbounded memory allocation flaw (CWE‑789.)

Affected Systems

The vulnerability affects the PowerDNS DNSdist load balancer for any versions that process DoQ (DNS over QUIC) or DoH3 (DNS over HTTP/3). No specific release numbers were supplied, so all installations that enable these protocols are considered at risk unless a patched version has been deployed.

Risk and Exploitability

The CVSS score of 5.3 places this in the medium threat range, while the EPSS of less than 1 % indicates a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The flaw is network‑based and does not require authentication; an attacker can launch it from any host that can reach the DNSdist instance over the relevant ports. Successful exploitation results in denial of service, either via a graceful disconnect or by terminating the DNSdist process, and could impact all clients behind the load balancer.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

PowerDNS

DNSdist

unaffected

Version	Status	Constraints
`1.9.0`	affected	< 1.9.12
`2.0.0`	affected	< 2.0.3

Configuration 1 [-]

OR	cpe:2.3:a:powerdns:dnsdist::::::::
	cpe:2.3:a:powerdns:dnsdist::::::::

No data.

Vendor Product Confidence Versions

Powerdns

Dnsdist

100%

Version	Status	Scheme	Platform
`[1.9.0,1.9.12)`	affected	semver	—
`[2.0.0,2.0.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade DNSdist to the latest release that contains the memory‑allocation fix per the vendor advisory
If DoQ or DoH3 is not required, disable those protocol handlers in DNSdist configuration
Apply operating‑system memory limits or cgroup restrictions to the DNSdist process to bound resource usage
Monitor DNSdist logs and system OOM events for signs of the exploit
Use firewall rules or ACLs to limit which IPs can initiate QUIC or HTTP/3 traffic to the DNSdist instance

Generated by OpenCVE AI on April 14, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6235-1	dnsdist security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:powerdns:dnsdist::::::::

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Powerdns Powerdns dnsdist
Vendors & Products		Powerdns Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-789
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 31 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Description		An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
Title		Unbounded memory allocation for DoQ and DoH3
References		https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Powerdns Dnsdist

MITRE

Status: PUBLISHED

Assigner: OX

Published: 2026-03-31T12:01:00.883Z

Updated: 2026-03-31T13:14:57.345Z

Reserved: 2026-01-20T14:56:25.872Z

Link: CVE-2026-24030

Vulnrichment

Updated: 2026-03-31T13:14:48.598Z

NVD

Status : Analyzed

Published: 2026-03-31T12:16:27.770

Modified: 2026-04-14T16:15:28.823

Link: CVE-2026-24030

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object