Description
An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Impact

An attacker can open a high volume of concurrent DoQ or DoH3 connections to a DNSdist instance. Because DoQ and DoH3 allow unlimited memory allocation per connection, the service can exhaust its available memory and become unresponsive. The vulnerability is classified as CWE-770, indicating a resource‑exhaustion weakness that leads to denial of service.

Affected Systems

The flaw affects DNSdist, the open‑source load‑balancing front‑end for PowerDNS. Any installation that has DoQ or DoH3 enabled is susceptible; the advisory notes that these protocols are disabled by default.

Risk and Exploitability

The CVSS score of 5.3 places the issue in the medium severity range. EPSS is currently unavailable and the flaw is not listed in the CISA KEV catalog. Because DoQ and DoH3 are off by default, successful exploitation requires the attacker to either enable them or convince the operator to do so. If enabled, the path of attack is to generate a large number of simultaneous connections, which will drain the server’s memory and cause a denial of service.

Generated by OpenCVE AI on April 22, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DNSdist to the latest version as announced in the vendor advisory
  • Configure DNSdist to disable DoQ and DoH3 permanently if they are not required
  • Implement network-level limits or firewall rules to restrict the number of simultaneous connections to DNSdist

Generated by OpenCVE AI on April 22, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
Title Resource exhaustion via DoQ/DoH3 connections
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:51:51.130Z

Reserved: 2026-03-18T10:06:16.572Z

Link: CVE-2026-33254

cve-icon Vulnrichment

Updated: 2026-04-22T14:50:08.743Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:53.520

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses