CVE-2026-24029
- EPSS 0.15%
- Veröffentlicht 31.03.2026 12:16:27
- Zuletzt bearbeitet 14.04.2026 16:24:27
When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
CVE-2026-24028
- EPSS 1.03%
- Veröffentlicht 31.03.2026 12:16:27
- Zuletzt bearbeitet 14.04.2026 16:27:24
An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or ...
CVE-2026-0397
- EPSS 0.16%
- Veröffentlicht 31.03.2026 11:53:13
- Zuletzt bearbeitet 14.04.2026 16:27:53
When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. Th...
CVE-2026-0396
- EPSS 0.14%
- Veröffentlicht 31.03.2026 11:50:51
- Zuletzt bearbeitet 13.04.2026 12:46:34
An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRules...
CVE-2025-30187
- EPSS 0.27%
- Veröffentlicht 18.09.2025 09:21:32
- Zuletzt bearbeitet 15.04.2026 00:35:42
In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causi...
CVE-2025-30193
- EPSS 0.59%
- Veröffentlicht 20.05.2025 11:17:17
- Zuletzt bearbeitet 15.04.2026 00:35:42
In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stac...
CVE-2025-30194
- EPSS 2.07%
- Veröffentlicht 29.04.2025 11:25:47
- Zuletzt bearbeitet 15.04.2026 00:35:42
When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The reme...
CVE-2024-25581
- EPSS 1.08%
- Veröffentlicht 14.05.2024 15:05:29
- Zuletzt bearbeitet 15.04.2026 00:35:42
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) ...
CVE-2018-14663
- EPSS 2.57%
- Veröffentlicht 26.11.2018 23:29:00
- Zuletzt bearbeitet 21.11.2024 03:49:32
An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the t...
CVE-2016-7069
- EPSS 4.58%
- Veröffentlicht 11.09.2018 13:29:00
- Zuletzt bearbeitet 21.11.2024 02:57:23
An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to ...