CVE-2026-40209
Deferred Deferred - Pending Action
IXFR Query Induced TCP Connection Leak in Open-Xchange

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Open-Xchange

Description
An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-40209
EUVD
EUVD-2026-39348
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
powerdns dnsdist to 2.0.6 (inc)
powerdns dnsdist to 1.9.14 (inc)
powerdns dnsdist From 1.9.15 (inc)
powerdns dnsdist From 2.0.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-772 The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40209 is a medium-severity vulnerability in PowerDNS DNSdist versions up to 2.0.6 and 1.9.14. It involves specially crafted IXFR (Incremental Zone Transfer) queries that cause outgoing TCP connections to backend servers to remain stuck until a timeout occurs, rather than being released immediately.

This behavior can disrupt normal operations by exhausting available connections or file descriptors.

Impact Analysis

The vulnerability can lead to a denial of service condition by causing outgoing TCP connections to backend servers to become stuck.

  • If there is a limit on the number of concurrent connections to the backend, these stuck connections can exhaust that limit.
  • If the process runs out of file descriptors due to these stuck connections, it can no longer open new connections, disrupting service availability.
Detection Guidance

This vulnerability involves denial of service caused by crafted IXFR queries that cause outgoing TCP connections to backend servers to remain stuck until timeout.

To detect this vulnerability on your network or system, you can monitor for unusual or excessive IXFR query traffic targeting your PowerDNS DNSdist servers.

Additionally, you can check for a high number of stuck or hanging TCP connections to backend servers, which may indicate exploitation attempts.

  • Use network traffic analysis tools (e.g., tcpdump, Wireshark) to filter and identify IXFR queries: `tcpdump -i <interface> 'udp port 53 and (dns[10] & 0xF) = 0x2'` (where 0x2 corresponds to IXFR query type).
  • Check the number of established TCP connections to backend servers using commands like `netstat -an | grep <backend_ip>:<port> | grep ESTABLISHED | wc -l`.
  • Monitor file descriptor usage on the DNSdist process to detect exhaustion using `lsof -p <dnsdist_pid> | wc -l` or `cat /proc/<dnsdist_pid>/limits`.
Mitigation Strategies

The recommended immediate mitigation steps for this vulnerability are to upgrade PowerDNS DNSdist to a patched version or block incoming IXFR queries.

  • Upgrade DNSdist to version 1.9.15 or 2.0.7 or later, where the vulnerability is fixed.
  • If upgrading immediately is not possible, implement a firewall or DNSdist rule to block or filter incoming IXFR queries to prevent exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart