CVE-2026-24030
Memory Exhaustion in DNSdist via DNS over QUIC/HTTP3 Payloads
Publication date: 2026-03-31
Last updated on: 2026-04-14
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerdns | dnsdist | From 1.9.0 (inc) to 1.9.12 (exc) |
| powerdns | dnsdist | From 2.0.0 (inc) to 2.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves DNSdist, where an attacker can trick it into allocating excessive memory while processing DNS over QUIC or DNS over HTTP/3 payloads. This excessive memory allocation can lead to a denial of service condition.
In environments with large amounts of memory, this usually causes an exception and the QUIC connection is closed properly. However, in some cases, the system may run out of memory and terminate the DNSdist process.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS). An attacker exploiting this issue can cause DNSdist to consume excessive memory, potentially leading to the termination of the DNSdist process or disruption of DNS services.