Impact
An attacker can send specially crafted DNS over HTTP/3 queries that trigger an exception in DNSdist, causing a buffer to remain allocated until the QUIC connection closes. If enough concurrent DoH3 streams are opened, this delayed deallocation can exhaust memory and lead to a out‑of‑memory condition, resulting in a denial of service. The vulnerability stems from improper memory handling and can compromise the availability of DNSdist services.
Affected Systems
PowerDNS DNSdist is affected. No specific version range is listed in the advisory, so all running instances should be assumed vulnerable until a patch becomes available.
Risk and Exploitability
Based on the description, it is inferred that the likely attack vector is sending crafted DNS over HTTP/3 queries to DNSdist. The CVSS score of 5.3 indicates a medium severity risk. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, so the likelihood of widespread exploitation remains uncertain. The exploit requires an attacker to open a large number of concurrent DoH3 streams, which may be limited by network configuration or hardware resources. The risk is therefore moderate but should not be neglected.
OpenCVE Enrichment
Debian DSA