CVE-2026-33596
- EPSS 0.17%
- Veröffentlicht 22.04.2026 14:16:54
- Zuletzt bearbeitet 24.04.2026 18:50:36
A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.
CVE-2026-33595
- EPSS 0.37%
- Veröffentlicht 22.04.2026 14:16:53
- Zuletzt bearbeitet 24.04.2026 18:49:49
A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.
CVE-2026-33594
- EPSS 0.37%
- Veröffentlicht 22.04.2026 14:16:53
- Zuletzt bearbeitet 24.04.2026 16:48:39
A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
CVE-2026-33593
- EPSS 0.38%
- Veröffentlicht 22.04.2026 14:16:53
- Zuletzt bearbeitet 24.04.2026 18:49:36
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
CVE-2026-33254
- EPSS 0.37%
- Veröffentlicht 22.04.2026 14:16:53
- Zuletzt bearbeitet 27.04.2026 16:58:36
An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
CVE-2026-33260
- EPSS 0.52%
- Veröffentlicht 22.04.2026 10:16:51
- Zuletzt bearbeitet 27.04.2026 17:03:22
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVE-2026-33257
- EPSS 0.51%
- Veröffentlicht 22.04.2026 10:16:51
- Zuletzt bearbeitet 27.04.2026 17:03:56
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVE-2026-27854
- EPSS 0.47%
- Veröffentlicht 31.03.2026 12:16:28
- Zuletzt bearbeitet 14.04.2026 16:09:48
An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that...
CVE-2026-27853
- EPSS 0.49%
- Veröffentlicht 31.03.2026 12:16:27
- Zuletzt bearbeitet 14.04.2026 16:12:32
An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger th...
CVE-2026-24030
- EPSS 0.54%
- Veröffentlicht 31.03.2026 12:16:27
- Zuletzt bearbeitet 14.04.2026 16:15:28
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an ex...