CVE-2026-40719
Received Received - Intake
Connection Slot Exhaustion in MaraDNS 3.5.0036 via Deadwood Vulnerability

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: MITRE

Description
Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40719
EUVD
EUVD-2026-22839
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
samboy maradns 3.5.0036
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40719 is a resource exhaustion vulnerability in Deadwood, the recursive DNS resolver component of MaraDNS version 3.5.0036. It occurs when Deadwood tries to resolve a DNS zone whose authoritative nameserver address cannot be resolved, either because the NS hostname does not exist or the NS server is unreachable.

The root cause is that Deadwood's retry logic does not distinguish between immediate deterministic failures (like an NXDOMAIN response received very quickly) and genuine network timeouts. It sets a fixed timeout and retries multiple times regardless, holding upstream connection slots for about 40 seconds per query by default.

Since the number of upstream connection slots is limited (default 50), queries to zones with unresolvable NS records can exhaust all slots, causing Deadwood to respond with SERVFAIL to new queries and effectively making the resolver unavailable for up to 40 seconds.

This vulnerability can be triggered remotely by anyone able to configure a DNS zone with an unresolvable NS record, including accidental misconfigurations or infrastructure outages.

Impact Analysis

This vulnerability can cause a denial-of-service condition on the MaraDNS Deadwood resolver by exhausting all available upstream connection slots.

When all slots are occupied by queries to zones with unresolvable NS addresses, new client queries requiring upstream resolution immediately receive SERVFAIL responses, making the DNS resolver unavailable for non-cached queries for up to 40 seconds.

This impacts the availability of DNS resolution services, potentially disrupting applications and services that rely on timely DNS responses.

The vulnerability requires no privileges and can be triggered remotely, increasing the risk of exploitation.

Detection Guidance

This vulnerability can be detected by monitoring Deadwood's behavior for excessive SERVFAIL responses and resource exhaustion symptoms when resolving DNS zones with unresolvable authoritative nameserver addresses.

Specifically, detection involves identifying queries to zones whose NS records cannot be resolved, which cause upstream connection slots to be held for the full retry timeout period (default 40 seconds).

While no explicit commands are provided, network administrators can monitor Deadwood logs for repeated SERVFAIL responses and check for high numbers of concurrent upstream connections or socket usage.

Additionally, administrators can use DNS query tools (e.g., dig) to test resolution of NS records for suspicious zones to see if they are unresolvable or cause immediate failures.

Mitigation Strategies

Immediate mitigation involves tuning Deadwood's configuration to reduce the impact of the vulnerability until a code fix is available.

  • Reduce the `timeout_seconds` value in Deadwood's configuration file (`dwood3rc`) to lower the duration each upstream connection slot is held.
  • Reduce the `num_retries` parameter to decrease the number of retry attempts Deadwood performs on upstream queries.

These changes will shorten the maximum slot occupancy time from the default 40 seconds, helping to prevent exhaustion of connection slots and improve resolver availability.

Compliance Impact

CVE-2026-40719 causes a denial-of-service condition in the Deadwood DNS resolver component of MaraDNS 3.5.0036 by exhausting upstream connection slots. This leads to resolver unavailability and immediate SERVFAIL responses for new queries.

The vulnerability impacts availability but does not affect confidentiality or integrity of data.

Since common standards and regulations like GDPR and HIPAA emphasize the protection of confidentiality, integrity, and availability of data, this vulnerability primarily affects the availability aspect.

However, there is no direct indication from the provided information that this vulnerability leads to unauthorized data access, data leakage, or compromise of personal or sensitive information.

Therefore, while the vulnerability could impact service availability and potentially disrupt operations that rely on DNS resolution, it does not directly violate compliance requirements related to data confidentiality or integrity under standards like GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40719. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart