Description
Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.
Published: 2026-04-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through connection slot exhaustion
Action: Apply Patch
AI Analysis

Impact

Deadwood in MaraDNS version 3.5.0036 enables attackers to send DNS queries that exhaust the server’s connection slots when the zone references an authoritative nameserver that cannot be resolved. This resource‑exhaustion flaw leads to a denial of service, preventing legitimate clients from resolving queries. The weakness maps to CWE‑670, reflecting improper limiting of a resource or race condition in handling unresolved zones.

Affected Systems

The vulnerability affects installations of MaraDNS 3.5.0036. Any derivative or older deployments that have not applied the subsequent fix listed in the changelog are also impacted.

Risk and Exploitability

With a CVSS score of 7.5 the flaw is classified as high severity. No EPSS data is available, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is remote DNS traffic; an attacker must have network reachability to the MaraDNS server and can trigger the condition by querying a zone whose authoritative nameserver address is unresolvable. The exploit consumes a limited pool of connection slots, ultimately degrading service availability for all clients.

Generated by OpenCVE AI on April 15, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MaraDNS to a version newer than 3.5.0036 that includes the fix referenced in the project changelog.
  • If an upgrade is not immediately feasible, temporarily remove or disable any DNS zones that point to non‑resolvable authoritative nameservers to prevent deadwood exploitation.
  • Implement network‑level rate limiting or firewall rules to constrain the rate of incoming DNS queries directed at the server, thereby mitigating the impact of connection slot exhaustion.

Generated by OpenCVE AI on April 15, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Title Deadwood Exploit Causing Connection Slot Exhaustion in MaraDNS

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Maradns
Maradns maradns
Vendors & Products Maradns
Maradns maradns

Wed, 15 Apr 2026 07:15:00 +0000

Type Values Removed Values Added
Description Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Maradns Maradns
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-15T13:22:14.897Z

Reserved: 2026-04-15T06:23:09.482Z

Link: CVE-2026-40719

cve-icon Vulnrichment

Updated: 2026-04-15T13:22:06.113Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T07:16:11.193

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-40719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses