Description
A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion Denial of Service
Action: Patch ASAP
AI Analysis

Impact

The vulnerability allows a client to force the DNSdist server to allocate excessive memory by issuing many queries that are routed to an overloaded DoH backend. These queries accumulate in a buffer that is only released when the connection ends, leading to runaway memory consumption that can degrade performance or cause the server to crash. The weakness is classified as CWE-770, which covers excessive allocation of resources.

Affected Systems

Affected systems include the PowerDNS DNSdist service. The advisory does not provide specific version numbers, so all currently deployed instances of DNSdist may be susceptible until a patch is applied.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the client has the ability to trigger the exploit by sending a high volume of queries; no privileged access is required, so the potential threat vector is remote from any internet‑connected client.

Generated by OpenCVE AI on April 27, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DNSdist to the latest release as published by PowerDNS.
  • Implement per-client or per-IP rate limiting to restrict the number of queued DoH queries that can be held in memory.
  • Configure load balancing or health checks on the DoH backend to prevent it from becoming overloaded, and consider disabling DoH for high‑volume clients if necessary.

Generated by OpenCVE AI on April 27, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6235-1 dnsdist security update
History

Fri, 24 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
Title Outgoing DoH excessive memory allocation
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:36:48.875Z

Reserved: 2026-03-23T12:57:56.814Z

Link: CVE-2026-33594

cve-icon Vulnrichment

Updated: 2026-04-22T14:36:40.603Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:53.837

Modified: 2026-04-24T16:48:39.007

Link: CVE-2026-33594

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:30:12Z

Weaknesses