CVE-2026-40719
Connection Slot Exhaustion in MaraDNS 3.5.0036 via Deadwood Vulnerability
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samboy | maradns | 3.5.0036 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40719 causes a denial-of-service condition in the Deadwood DNS resolver component of MaraDNS 3.5.0036 by exhausting upstream connection slots. This leads to resolver unavailability and immediate SERVFAIL responses for new queries.
The vulnerability impacts availability but does not affect confidentiality or integrity of data.
Since common standards and regulations like GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data, this vulnerability primarily affects the availability aspect.
However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data access, data leakage, or compromise of personal or sensitive information.
Therefore, while the vulnerability could impact service availability and potentially disrupt operations that rely on DNS resolution, it does not directly violate compliance requirements related to data confidentiality or integrity under standards like GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-40719 is a resource exhaustion vulnerability in Deadwood, the recursive DNS resolver component of MaraDNS version 3.5.0036. It occurs when Deadwood tries to resolve a DNS zone whose authoritative nameserver address cannot be resolved, either because the NS hostname does not exist or the NS server is unreachable.
The root cause is that Deadwood's retry logic does not distinguish between immediate deterministic failures (like an NXDOMAIN response received very quickly) and genuine network timeouts. It sets a fixed timeout and retries multiple times regardless, holding upstream connection slots for about 40 seconds per query by default.
Since the number of upstream connection slots is limited (default 50), queries to zones with unresolvable NS records can exhaust all slots, causing Deadwood to respond with SERVFAIL to new queries and effectively making the resolver unavailable for up to 40 seconds.
This vulnerability can be triggered remotely by anyone able to configure a DNS zone with an unresolvable NS record, including accidental misconfigurations or infrastructure outages.
How can this vulnerability impact me? :
This vulnerability can cause a denial-of-service condition on the MaraDNS Deadwood resolver by exhausting all available upstream connection slots.
When all slots are occupied by queries to zones with unresolvable NS addresses, new client queries requiring upstream resolution immediately receive SERVFAIL responses, making the DNS resolver unavailable for non-cached queries for up to 40 seconds.
This impacts the availability of DNS resolution services, potentially disrupting applications and services that rely on timely DNS responses.
The vulnerability requires no privileges and can be triggered remotely, increasing the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring Deadwood's behavior for excessive SERVFAIL responses and resource exhaustion symptoms when resolving DNS zones with unresolvable authoritative nameserver addresses.
Specifically, detection involves identifying queries to zones whose NS records cannot be resolved, which cause upstream connection slots to be held for the full retry timeout period (default 40 seconds).
While no explicit commands are provided, network administrators can monitor Deadwood logs for repeated SERVFAIL responses and check for high numbers of concurrent upstream connections or socket usage.
Additionally, administrators can use DNS query tools (e.g., dig) to test resolution of NS records for suspicious zones to see if they are unresolvable or cause immediate failures.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves tuning Deadwood's configuration to reduce the impact of the vulnerability until a code fix is available.
- Reduce the `timeout_seconds` value in Deadwood's configuration file (`dwood3rc`) to lower the duration each upstream connection slot is held.
- Reduce the `num_retries` parameter to decrease the number of retry attempts Deadwood performs on upstream queries.
These changes will shorten the maximum slot occupancy time from the default 40 seconds, helping to prevent exhaustion of connection slots and improve resolver availability.