5.3
CVE-2026-40211
- EPSS 0.41%
- Veröffentlicht 25.06.2026 12:23:55
- Zuletzt bearbeitet 25.06.2026 15:59:47
- Quelle security@open-xchange.com
- CVE-Watchlists
- Unerledigt
Denial of service via crafted DoH3 queries
An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerPowerDNS
≫
Produkt
DNSdist
Default Statusunaffected
Version
1.9.0
Version <
1.9.15
Status
affected
Version
2.0.0
Version <
2.0.7
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.41% | 0.33 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@open-xchange.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-770 Allocation of Resources Without Limits or Throttling
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html