CVE-2026-24028Buffer Over-read in Dnsdist

CWE-126Buffer Over-read8 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 97.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Powerdns Dnsdist
Timeline
PublishedMar 31

Description

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5powerdns/dnsdist1.9.01.9.12+1
Debianpowerdns/dnsdist< 2.0.3-1

🔴Vulnerability Details

3
GHSA
GHSA-q26r-j393-x8vq: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to2026-03-31
CVEList
Out-of-bounds read when parsing DNS packets via Lua2026-03-31
OSV
CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to2026-03-31

📋Vendor Advisories

1
Debian
CVE-2026-24028: dnsdist - An attacker might be able to trigger an out-of-bounds read by sending a crafted ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-24028 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

2
Bugzilla
CVE-2026-24028 dnsdist: dnsdist and PowerDNS: Denial of service or information disclosure via crafted DNS response packet [fedora-all]2026-03-31
Bugzilla
CVE-2026-24028 dnsdist: dnsdist and PowerDNS: Denial of service or information disclosure via crafted DNS response packet [epel-all]2026-03-31
CVE-2026-24028 — Buffer Over-read in Powerdns Dnsdist | cvebase