A client can trigger excessive memory allocation by generating a large number of error responses over a single DoQ or DoH3 connection. The flaw occurs because certain resources are not released until the connection closes, which can cause the server to consume an unbounded amount of memory and eventually become unresponsive. This weakness directly maps to CWE‑770, Excessive Resource Allocation, and it can compromise the availability of the DNS server for legitimate users. The affected vendor is PowerDNS, specifically the DNSdist product. No explicit version ranges are supplied in the advisory, so any installation built before the release of the patch described in the linked advisory remains vulnerable. The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not reported, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation has not been observed at this time. The likely attack vector is remote, requiring an adversary to send crafted DoQ or DoH3 packets that provoke error responses, but the impact could still be substantial if an attacker can generate sufficient traffic to exhaust system memory.

The affected product is PowerDNS DNSdist. No specific vulnerable versions are detailed in the advisory, so any deployment of DNSdist older than the patched release remains susceptible.

The CVSS score of 5.3 indicates moderate severity. EPSS is not available, so exploitation probability is unknown; the vulnerability is not listed in CISA KEV catalog, implying no confirmed widespread exploitation. The likely remote attack vector involves a client generating many error responses over a single DoQ or DoH3 connection, leading to excessive memory allocation and eventual denial of service.