Description
A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.
Published: 2026-04-22
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Query Mismatch
Action: Monitor
AI Analysis

Impact

A flood of perfectly timed queries can force DNSdist to misalign the identifiers used for TCP or DNS over TLS back‑end sessions, resulting in responses not matching the intended queries. The consequence is that the resolver may deliver incorrect, stale, or no answers, effectively degrading DNS service quality or availability. This weakness is identified as integer overflow (CWE‑190).

Affected Systems

The product affected is PowerDNS DNSdist, a DNS load‑balancer and forwarder. No specific version range is listed in the advisory, so all installations of DNSdist remain potentially vulnerable until patched.

Risk and Exploitability

The CVSS score of 3.1 indicates a low severity risk. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The likely attack scenario requires a client to send a high volume of tightly timed queries to a backend that accepts only TCP or TLS, which could be feasible on an open or poorly protected network. Given the low severity and lack of documented exploitation, the primary concern is operational disruption rather than a catastrophic breach.

Generated by OpenCVE AI on April 27, 2026 at 19:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Adjust firewall or load‑balancing rules to rate‑limit traffic entering DNSdist from untrusted sources.
  • Upgrade to a DNSdist release that incorporates the described fix, as noted in the official PowerDNS advisory.
  • Configure DNSdist to use UDP or other tolerant back‑end protocols where feasible to avoid TCP‑only or TLS bottlenecks.
  • Continuously monitor DNS request patterns for abrupt increases or timing anomalies to detect attempted probe traffic.

Generated by OpenCVE AI on April 27, 2026 at 19:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6235-1 dnsdist security update
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.
Title TCP backend stream ID overflow
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:43:54.294Z

Reserved: 2026-03-23T12:57:56.814Z

Link: CVE-2026-33596

cve-icon Vulnrichment

Updated: 2026-04-22T14:42:18.441Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:54.073

Modified: 2026-04-24T18:50:36.870

Link: CVE-2026-33596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:30:12Z

Weaknesses