Powerdns Dnsdist
23 CVEs affecting Powerdns Dnsdist. Latest disclosed: 2026-04-22. Critical: 0, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2017-7557 | High | 8.8 | 2017-08-22 | dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack. |
CVE-2026-33593 | High | 7.5 | 2026-04-22 | A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. |
CVE-2025-30193 | High | 7.5 | 2025-05-20 | In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can c… |
CVE-2025-30194 | High | 7.5 | 2025-04-29 | When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illeg… |
CVE-2024-25581 | High | 7.5 | 2024-05-13 | When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigg… |
CVE-2026-33602 | Medium | 6.5 | 2026-04-22 | A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading t… |
CVE-2026-24029 | Medium | 6.5 | 2026-03-31 | When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is… |
CVE-2026-27853 | Medium | 5.9 | 2026-03-31 | An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:chang… |
CVE-2026-33594 | Medium | 5.3 | 2026-04-22 | A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate int… |
CVE-2026-33595 | Medium | 5.3 | 2026-04-22 | A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not prop… |
CVE-2026-33254 | Medium | 5.3 | 2026-04-22 | An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service… |
CVE-2026-33260 | Medium | 5.3 | 2026-04-22 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server… |
CVE-2026-33257 | Medium | 5.3 | 2026-04-22 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server… |
CVE-2026-24030 | Medium | 5.3 | 2026-03-31 | An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of… |
CVE-2026-24028 | Medium | 5.3 | 2026-03-31 | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS… |
CVE-2026-33598 | Medium | 4.8 | 2026-04-22 | A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. |
CVE-2026-27854 | Medium | 4.8 | 2026-03-31 | An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua cod… |
CVE-2026-33597 | Low | 3.7 | 2026-04-22 | PRSD detection denial of service |
CVE-2025-30187 | Low | 3.7 | 2025-09-18 | In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a d… |
CVE-2026-33596 | Low | 3.1 | 2026-04-22 | A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed que… |