Description
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
Published: 2026-06-25
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when DNSdist incorrectly handles EDNS OPT records. An attacker can send a crafted OPT record that is initially ignored by DNSdist’s filtering logic but is rewritten as a valid OPT record when the server appends an EDNS Client Subnet option. The rewritten OPT record is then forwarded to the backend DNS server, bypassing upstream filtering. This behavior corresponds to CWE‑115, which describes inconsistent protocol logic.

Affected Systems

The flaw impacts all installations of PowerDNS DNSdist that rely on the default OPT filtering and EDNS Client Subnet handling, regardless of version. Any instance that forwards queries to a backend DNS server without custom filtering is susceptible.

Risk and Exploitability

The CVSS score is 3.7, indicating low overall severity. No EPSS data is available and the flaw is not listed in CISA’s KEV catalog. Exploitation requires only the ability to send a crafted DNS query to a reachable DNSdist instance; no special privileges or authentication are needed. Because the underlying weakness is a logic error in handling EDNS options (CWE‑115), an attacker could cause the backend to receive options that were intended to be suppressed, potentially enabling side‑channel data leakage or other unintended processing.

Generated by OpenCVE AI on June 25, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DNSdist to the latest released version, which contains a fix that correctly rejects or preserves EDNS options when inserting the Client Subnet option.
  • If an upgrade is not immediately possible, manually configure DNSdist to drop all EDNS OPT records before appending the EDNS Client Subnet option so that only approved options are forwarded.
  • On backend DNS servers, enable strict EDNS option validation to reject any unrecognized or malformed options received from upstream servers.

Generated by OpenCVE AI on June 25, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6367-1 dnsdist security update
History

Thu, 25 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns dnsdist
Vendors & Products Powerdns
Powerdns dnsdist

Thu, 25 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-115
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
Title EDNS options smuggling
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Powerdns Dnsdist
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:44:07.962Z

Reserved: 2026-04-23T11:15:21.198Z

Link: CVE-2026-42004

cve-icon Vulnrichment

Updated: 2026-06-25T13:43:59.267Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-115

    Misinterpretation of Input