Description
An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
Published: 2026-06-25
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker might delay the processing of DoH3 queries by sending DoH3 GET requests that contain an invalid DATA frame. The malformed frame causes the DNSdist server to wait, idling resources and leading to a degradation of service for legitimate traffic. This flaw is a CWE‑705 (Improper Handling of Protocol) vulnerability and does not provide a path to compromise confidentiality or integrity, limiting impacts to availability.

Affected Systems

The affected product is PowerDNS DNSdist. The advisory does not specify impacted versions, so all deployments of DNSdist that support DoH3 should be considered at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity. EPSS data is not available, so the probability of automated exploitation is uncertain. The vulnerability is not listed in CISA KEV, implying no known widespread exploitation. The likely attack vector is network‑based through DoH3 over HTTPS, requiring the ability to send malformed DNS queries to the server. An adversary could flood the network with such queries to exhaust resources or simply disrupt service availability over time.

Generated by OpenCVE AI on June 25, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DNSdist to the latest release that includes the DoH3 query validation fix.
  • If DoH3 is not required, disable it or limit it to trusted clients using ACLs.
  • Implement rate limiting and enforce stricter payload validation for DoH3 requests at the network perimeter.
  • Monitor DNS logs for repeated DoH3 queries with invalid frames and investigate anomalies.

Generated by OpenCVE AI on June 25, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6367-1 dnsdist security update
History

Thu, 25 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-400

Thu, 25 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399
CWE-400

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-705
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
Title Denial of service via DoH3 queries
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:24:55.798Z

Reserved: 2026-04-10T07:11:39.060Z

Link: CVE-2026-40208

cve-icon Vulnrichment

Updated: 2026-06-25T13:24:38.396Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:15:04Z

Weaknesses
  • CWE-705

    Incorrect Control Flow Scoping