Description
A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.
Published: 2026-04-22
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds read triggered by a crafted DNS SVCB response during Discovery of Designated Resolvers
Action: Disable DDR upgrade
AI Analysis

Impact

A rogue DNS backend can send a specially crafted SVCB record to DNSdist when the autoUpgrade option in Lua or the auto_upgrade setting in YAML is enabled. The malformed response triggers an out‑of‑bounds read in the service discovery code, potentially allowing an attacker to read unintended memory contents from the DNSdist process. This is a modest confidentiality risk and may cause a crash if exploited, but does not provide direct code execution or privilege escalation.

Affected Systems

The vulnerability affects the PowerDNS DNSdist service. No specific product or software version is listed in the advisory, and the feature is disabled by default. Any deployment that has enabled autoUpgrade or auto_upgrade is susceptible.

Risk and Exploitability

The CVSS score of 3.1 classifies this as low severity. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, indicating a limited likelihood of real‑world exploitation. The attack vector is likely a remote backend with network ability to send DNS responses; however, the vulnerable code is only exercised when the DDR feature is active, which remains turned off in default configurations. No public exploit exists; the risk is primarily informational unless the configuration is mis‑controlled.

Generated by OpenCVE AI on April 27, 2026 at 19:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that the autoUpgrade/auto_upgrade settings are disabled in DNSdist configuration files
  • If the DDR upgrade is required, apply the latest available DNSdist release once a vendor fix is published
  • Monitor DNSdist logs and network traffic for unexpected SVCB responses from unauthorized backends

Generated by OpenCVE AI on April 27, 2026 at 19:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6235-1 dnsdist security update
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.
Title Out-of-bounds read in service discovery
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:50:22.629Z

Reserved: 2026-03-23T12:57:56.814Z

Link: CVE-2026-33599

cve-icon Vulnrichment

Updated: 2026-04-22T14:50:08.809Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:54.410

Modified: 2026-04-24T18:52:06.127

Link: CVE-2026-33599

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:30:12Z

Weaknesses