Description
A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
Published: 2026-04-22
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The described flaw is an off‑by‑one error in DNSdist’s handling of UDP responses. When a rogue backend sends a response whose query ID is off by one relative to the maximum allowed value, DNSdist writes past the bounds of its internal buffer. This out‑of‑bounds write corrupts memory and causes the daemon to crash, resulting in a denial of service. The weakness is a classic buffer overflow (CWE‑122). The likely attack vector is a crafted response sent from a malicious backend to an unprotected DNSdist instance.

Affected Systems

DNSdist, the caching DNS load‑balancing infrastructure from PowerDNS, is the impacted product. The advisory does not publish specific vulnerable versions, so administrators should verify that their installations are at or above the latest publicly available release. No other vendors are listed.

Risk and Exploitability

The CVSS score of 6.5 marks this issue as medium severity, and because the exploit requires only a malicious backend that can inject crafted UDP responses, the attack is feasible from a remote perspective. EPSS information is not available, and the vulnerability has not been listed in the CISA KEV catalog, indicating no known active exploitation. Nevertheless, the out‑of‑bounds write can lead to service interruption, which can be critical in high‑availability environments. Based on the description, it can be exploited remotely by a rogue backend.

Generated by OpenCVE AI on April 22, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DNSdist to the latest stable release that contains the fix referenced in the advisory.
  • Actively monitor DNSdist logs for abnormal crash events and enable high‑availability failover to mitigate downtime.
  • Restrict network communication between DNSdist and upstream backends, or enforce TLS between them, to prevent unauthorized or malformed UDP responses.

Generated by OpenCVE AI on April 22, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
Title Off-by-one access when processing crafted UDP responses
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:47:07.785Z

Reserved: 2026-03-23T12:57:56.815Z

Link: CVE-2026-33602

cve-icon Vulnrichment

Updated: 2026-04-22T14:45:48.657Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T14:16:54.537

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:30:24Z

Weaknesses