Powerdns

Pdns

42 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2026-33257

  • EPSS 0.01%
  • Veröffentlicht 22.04.2026 10:16:51
  • Zuletzt bearbeitet 27.04.2026 17:03:56

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

4.9

CVE-2026-33600

  • EPSS 0.02%
  • Veröffentlicht 22.04.2026 09:33:12
  • Zuletzt bearbeitet 27.04.2026 16:59:23

An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

7.5

CVE-2026-27854

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 12:16:28
  • Zuletzt bearbeitet 14.04.2026 16:09:48

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that...

7.5

CVE-2026-27853

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 12:16:27
  • Zuletzt bearbeitet 14.04.2026 16:12:32

An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger th...

7.5

CVE-2026-24030

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 12:16:27
  • Zuletzt bearbeitet 14.04.2026 16:15:28

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an ex...

6.5

CVE-2026-24029

  • EPSS 0%
  • Veröffentlicht 31.03.2026 12:16:27
  • Zuletzt bearbeitet 14.04.2026 16:24:27

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

8.2

CVE-2026-24028

  • EPSS 0.01%
  • Veröffentlicht 31.03.2026 12:16:27
  • Zuletzt bearbeitet 14.04.2026 16:27:24

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or ...

4.3

CVE-2026-0397

  • EPSS 0%
  • Veröffentlicht 31.03.2026 11:53:13
  • Zuletzt bearbeitet 14.04.2026 16:27:53

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. Th...

4.3

CVE-2026-0396

  • EPSS 0%
  • Veröffentlicht 31.03.2026 11:50:51
  • Zuletzt bearbeitet 13.04.2026 12:46:34

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRules...

6.5

CVE-2025-59024

  • EPSS 0%
  • Veröffentlicht 09.02.2026 14:44:28
  • Zuletzt bearbeitet 20.04.2026 15:11:15

Crafted delegations or IP fragments can poison cached delegations in Recursor.