Description
An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.
Published: 2026-03-31
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An attacker may be able to trigger a use‑after‑free by sending specially crafted DNS queries to a DNSdist server that contains custom Lua code which invokes DNSQuestion:getEDNSOptions. When DNSQuestion:getEDNSOptions attempts to parse the EDNS options of a packet that has already been modified, a use‑after‑free can occur, causing the process to crash. The crash terminates the DNSdist instance, rendering the DNS service unavailable for legitimate users.

Affected Systems

The vulnerability affects PowerDNS DNSdist whenever custom Lua code calls DNSQuestion:getEDNSOptions. No specific version information is given, so all versions that expose this Lua API and run such code may be impacted unless patched separately. Administrators should verify the deployed DNSdist version and review any Lua scripts that inspect EDNS options.

Risk and Exploitability

The CVSS score of 4.8 denotes moderate severity. No EPSS data or KEV listing is available, implying limited known exploitation but a potential risk. The attack vector is inferred to be remote, unauthenticated, through crafted DNS traffic sent to the server, as the exploit relies on DNS queries. Although it does not enable code execution, the resulting denial of service could disrupt DNS availability, especially in highly available or critical infrastructures.

Generated by OpenCVE AI on March 31, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DNSdist to the latest version that resolves the use‑after‑free issue.
  • If an update cannot be applied immediately, remove or disable the Lua code that calls DNSQuestion:getEDNSOptions, or otherwise restrict parsing of EDNS options.
  • Monitor DNSdist logs for unexpected crashes or memory errors that could indicate exploitation.
  • Consider applying network‑level filtering to limit DNS traffic to trusted sources until the vulnerability is patched.

Generated by OpenCVE AI on March 31, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Tue, 31 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.
Title Use after free when parsing EDNS options in Lua
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-02T13:46:22.087Z

Reserved: 2026-02-24T08:46:09.373Z

Link: CVE-2026-27854

cve-icon Vulnrichment

Updated: 2026-03-31T13:12:24.381Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-31T12:16:28.053

Modified: 2026-04-01T14:24:02.583

Link: CVE-2026-27854

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:41Z

Weaknesses