Description
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
Published: 2026-04-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A client can trigger a divide by zero error in DNSdist, causing the server to crash from a crafted DNSCrypt query. Based on the description, it is inferred that the crash results in a denial of service that affects the availability of the DNS service for all clients. This flaw is classified as CWE‑369, a divide‑by‑zero weakness.

Affected Systems

The vulnerability affects the PowerDNS DNSdist product. No specific version numbers are given in the advisory, so all currently deployed instances of DNSdist may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. Based on the description, it is inferred that the exploit requires only the ability to send a crafted DNSCrypt query to the vulnerable DNSdist server, so remote attackers can trigger the crash. The EPSS score is < 1%, indicating a very low but nonzero exploitation probability. The flaw is not listed in CISA KEV, meaning there is no confirmed exploitation data yet. Nonetheless, the high severity and the inferred remote attack vector make it a significant risk for environments that rely on DNSdist.

Generated by OpenCVE AI on April 28, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the PowerDNS DNSdist advisory for the latest patch version and apply the fix as soon as it is available.
  • If an immediate upgrade is not feasible, consider disabling DNSCrypt support temporarily to prevent the crafted queries from reaching DNSdist.
  • Monitor DNSdist logs and network traffic for abnormal crash patterns as an early warning of exploitation attempts.

Generated by OpenCVE AI on April 28, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6235-1 dnsdist security update
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-369
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
Title Denial of service via crafted DNSCrypt query
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:29:07.880Z

Reserved: 2026-03-23T12:57:56.813Z

Link: CVE-2026-33593

cve-icon Vulnrichment

Updated: 2026-04-22T14:28:59.179Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:53.713

Modified: 2026-04-24T18:49:36.830

Link: CVE-2026-33593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T08:30:13Z

Weaknesses