Description
An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.
Published: 2026-06-25
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who can send many crafted DNS queries to a DNSdist instance can cause a dynamically inserted block to have a value that produces invalid output on the Prometheus metrics endpoint. When this happens, Prometheus scrapers receive errors and are unable to collect metrics until the block expires, effectively denying service for the affected Prometheus instance.

Affected Systems

The vulnerability affects the PowerDNS DNSdist product. Specific version information is not listed in the advisory, so all installations of DNSdist are considered potentially vulnerable until an official patch or release is applied.

Risk and Exploitability

The CVSS score is 3.7, classifying the flaw as low severity, and no EPSS score is available, indicating limited publicly documented exploitation. However, the attack can be performed entirely over the network by sending a flood of DNS requests with carefully crafted contents. The denial‑of‑service impact is limited to the Prometheus metrics endpoint and can cause temporary loss of monitoring data but does not compromise authentication or data confidentiality. The vulnerability is currently not listed in the CISA KEV catalog.

Generated by OpenCVE AI on June 25, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest DNSdist release to address the issue according to the PowerDNS advisory.
  • Configure DNSdist rate limiting or query throttling to reduce the impact of a large volume of crafted queries.
  • Restrict the Prometheus metrics endpoint to trusted clients or temporarily disable scraping until the host is patched.
  • Limit inbound DNS traffic to trusted sources using firewall rules.

Generated by OpenCVE AI on June 25, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 25 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-116
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.
Title Prometheus denial of service via crafted DNS queries
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:23:46.840Z

Reserved: 2026-04-08T09:59:59.341Z

Link: CVE-2026-40011

cve-icon Vulnrichment

Updated: 2026-06-25T13:23:04.450Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T17:30:05Z

Weaknesses
  • CWE-116

    Improper Encoding or Escaping of Output