Description
An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to consume backend connection resources by repeatedly issuing IXFR queries, which keeps outbound TCP connections to the backend open until a timeout. This is a classic resource exhaustion weakness (CWE-772). The resulting resource saturation can lead to a denial of service when the number of concurrent connections is exhausted or the process runs out of file descriptors.

Affected Systems

It affects the PowerDNS DNSdist product. No specific affected version is listed in the advisory, so all current and prior releases may be vulnerable until a patch is released.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. The exploit probability is unknown, as EPSS is not available, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is remote network, making it accessible to adversaries who can send IXFR queries from any IP. If an attacker can flood the server with such queries, a denial of service could occur, impacting availability of services relying on the DNS backend.

Generated by OpenCVE AI on June 25, 2026 at 18:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DNSdist to the latest version that contains the fix.
  • Configure backend timeouts and limit the number of concurrent connections to the backend to reduce the impact of resource exhaustion.
  • Apply network‑level rate limiting or firewall rules to restrict the frequency of IXFR queries from untrusted sources.

Generated by OpenCVE AI on June 25, 2026 at 18:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6367-1 dnsdist security update
History

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Thu, 25 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 25 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
Title Denial of service via IXFR queries
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:56:22.793Z

Reserved: 2026-04-10T07:11:39.060Z

Link: CVE-2026-40209

cve-icon Vulnrichment

Updated: 2026-06-25T13:56:09.847Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses
  • CWE-772

    Missing Release of Resource after Effective Lifetime