CVE-2026-33254
Denial of Service via Memory Exhaustion in DNSdist DoQ/DoH
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerdns | dnsdist | From 1.9.0 (inc) to 1.9.13 (exc) |
| powerdns | dnsdist | From 2.0.0 (inc) to 2.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an attacker to create a large number of concurrent DNS over QUIC (DoQ) or DNS over HTTP/3 (DoH3) connections to the DNSdist service. This causes unlimited memory allocation within DNSdist, which can lead to a denial of service condition.
It is important to note that both DoQ and DoH3 are disabled by default in DNSdist.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) attack against the DNSdist service. An attacker exploiting this issue can cause the service to consume unlimited memory, potentially leading to service crashes or unavailability.
What immediate steps should I take to mitigate this vulnerability?
Since DOQ and DoH3 are disabled by default, ensure that these protocols remain disabled if not needed.
Monitor and limit the number of concurrent DoQ or DoH3 connections to prevent excessive memory allocation.