Description
An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can send specially crafted DNS over HTTP/3 queries that trigger an exception in DNSdist, causing a buffer to remain allocated until the QUIC connection closes. If enough concurrent DoH3 streams are opened, this delayed deallocation can exhaust memory and lead to a out‑of‑memory condition, resulting in a denial of service. The vulnerability stems from improper memory handling and can compromise the availability of DNSdist services.

Affected Systems

PowerDNS DNSdist is affected. No specific version range is listed in the advisory, so all running instances should be assumed vulnerable until a patch becomes available.

Risk and Exploitability

Based on the description, it is inferred that the likely attack vector is sending crafted DNS over HTTP/3 queries to DNSdist. The CVSS score of 5.3 indicates a medium severity risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, so the likelihood of widespread exploitation remains uncertain. The exploit requires an attacker to open a large number of concurrent DoH3 streams, which may be limited by network configuration or hardware resources. The risk is therefore moderate but should not be neglected.

Generated by OpenCVE AI on June 25, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DNSdist to the latest version that includes the official fix for this issue.
  • If an update is not immediately available, limit the number of concurrent DoH3 streams that DNSdist will accept as directed in the advisory.
  • Block or restrict DoH3 traffic from untrusted sources using firewall rules or rate limiting.
  • Monitor DNSdist memory usage and logs for signs of excessive memory allocation or repeated exceptions.

Generated by OpenCVE AI on June 25, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6367-1 dnsdist security update
History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
Title Denial of service via crafted DoH3 queries
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:45:02.430Z

Reserved: 2026-04-10T07:11:39.060Z

Link: CVE-2026-40211

cve-icon Vulnrichment

Updated: 2026-06-25T13:44:49.368Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:00:13Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling