Description
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
Published: 2026-06-25
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to send a crafted EDNS OPT record that DNSdist initially ignores during its filtering process. When DNSdist appends an EDNS Client Subnet option to the query, the previously ignored OPT record is rewritten into a valid form and forwarded to the backend. This mechanism enables malicious or unintended EDNS options to reach the backend DNS server, potentially exposing sensitive configuration data or facilitating lateral movement and other indirect attacks.

Affected Systems

Any installation of PowerDNS DNSdist is affected; no specific product version was identified in the advisory, so the vulnerability applies broadly to all variants of DNSdist as delivered by PowerDNS.

Risk and Exploitability

The CVSS score of 3.7 reflects a low overall severity, and no EPSS score is available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only the ability to craft and send a DNS query to a DNSdist instance, with no authentication or privileged operation needed. The primary risk is the exposure of EDNS options that DNSdist would otherwise discard, potentially leaking information or enabling further exploitation via the backend’s interpretation of those options.

Generated by OpenCVE AI on June 25, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DNSdist to the latest version that contains a patch for the EDNS options smuggling flaw
  • Configure DNSdist to reject or strip all EDNS OPT records before inserting an EDNS Client Subnet so that only approved options are forwarded
  • Enable strict EDNS option validation on backend DNS servers and reject any unknown or suspicious options

Generated by OpenCVE AI on June 25, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-115
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
Title EDNS options smuggling
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:44:07.962Z

Reserved: 2026-04-23T11:15:21.198Z

Link: CVE-2026-42004

cve-icon Vulnrichment

Updated: 2026-06-25T13:43:59.267Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:45:02Z

Weaknesses
  • CWE-115

    Misinterpretation of Input

  • CWE-20

    Improper Input Validation