CVE-2026-40211
Deferred Deferred - Pending Action

DNS over HTTP/3 Memory Leak DoS Vulnerability

Vulnerability report for CVE-2026-40211, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: Open-Xchange

Description

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-07-15
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
powerdns dnsdist to 2.0.6 (inc)
powerdns dnsdist to 1.9.14 (inc)
powerdns dnsdist From 1.9.15 (inc)
powerdns dnsdist From 2.0.7 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability involves an attacker sending specially crafted DNS queries over HTTP/3 (DoH3) that trigger an exception in the system. This exception prevents a certain buffer from being freed immediately. Although the buffer is eventually freed at the end of the QUIC connection, on some setups, an attacker can open enough concurrent DoH3 streams to exhaust memory resources.

The result is an out-of-memory condition that can cause the system to become unresponsive or crash, leading to a denial of service.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS). An attacker can exploit it to consume system memory by opening many concurrent DNS over HTTP/3 streams, causing the system to run out of memory.

This can lead to service interruptions, crashes, or degraded performance, affecting availability of the affected service or application.

Mitigation Strategies

To mitigate this vulnerability, the best immediate step is to upgrade PowerDNS DNSdist to a patched version that addresses the issue.

Since the vulnerability involves denial of service triggered by crafted DNS over HTTP/3 queries, limiting or blocking such queries at the network perimeter or applying specific filtering rules may help reduce exposure until an upgrade can be performed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40211. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart