Debian Dnsdist vulnerabilities

CVE-2026-27853 [MEDIUM] CVE-2026-27853: dnsdist - An attacker might be able to trigger an out-of-bounds write by sending crafted D... An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.

CVE-2026-24030 [MEDIUM] CVE-2026-24030: dnsdist - An attacker might be able to trick DNSdist into allocating too much memory while... An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state

CVE-2026-24028 [MEDIUM] CVE-2026-24028: dnsdist - An attacker might be able to trigger an out-of-bounds read by sending a crafted ... An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure. Scope: local bookworm: open bullseye: open for

CVE-2026-27854 [MEDIUM] CVE-2026-27854: dnsdist - An attacker might be able to trigger a use-after-free by sending crafted DNS que... An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service. Scope:

CVE-2026-24029 [MEDIUM] CVE-2026-24029: dnsdist - When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is ena... When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 2.0.3-1) sid: resolved (fixed in 2.0.3-1) trixie: ope

CVE-2026-0396 [LOW] CVE-2026-0396: dnsdist - An attacker might be able to inject HTML content into the internal web dashboard... An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 2.0.3-1) sid: resolved

CVE-2026-0397 [LOW] CVE-2026-0397: dnsdist - When the internal webserver is enabled (default is disabled), an attacker might ... When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy. Scope: local bookworm

CVE-2025-30193 [HIGH] CVE-2025-30193: dnsdist - In some circumstances, when DNSdist is configured to allow an unlimited number o... In some circumstances, when DNSdist is configured to allow an unlimited number of queries on a single, incoming TCP connection from a client, an attacker can cause a denial of service by crafting a TCP exchange that triggers an exhaustion of the stack and a crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.10 version. A workaro

CVE-2025-30194 [HIGH] CVE-2025-30194: dnsdist - When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker ... When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist ha

CVE-2025-30187 [LOW] CVE-2025-30187: dnsdist - In some circumstances, when DNSdist is configured to use the nghttp2 library to ... In some circumstances, when DNSdist is configured to use the nghttp2 library to process incoming DNS over HTTPS queries, an attacker might be able to cause a denial of service by crafting a DoH exchange that triggers an unbounded I/O read loop, causing an unexpected consumption of CPU resources. Scope: local bookworm: resolved bullseye: resolved forky: resolved (fixe

CVE-2024-25581 [HIGH] CVE-2024-25581: dnsdist - When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and ... When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enable

CVE-2023-44487 [HIGH] CVE-2023-44487: dnsdist - The HTTP/2 protocol allows a denial of service (server resource consumption) bec... The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.8.2-2) sid: resolved (fixed in 1.8.2-2) trixie: resolved (fixed in 1.8.2-2)

CVE-2018-14663 [MEDIUM] CVE-2018-14663: dnsdist - An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attac... An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing data such that the addition of a record by dnsdist, for example an OPT record when adding EDNS Client Subnet, might result in the trailing data being smuggled to the backend as a valid record while not seen by dnsdist. This is an issue when dnsdis

CVE-2017-7557 [HIGH] CVE-2017-7557: dnsdist - dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for RE... dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack. Scope: local bookworm: resolved (fixed in 1.2.0-1) bullseye: resolved (fixed in 1.2.0-1) forky: resolved (fixed in 1.2.0-1) sid: resolved (fixed in 1.2.0-1) trixie: resolved (fixed in 1.2.0-1)

CVE-2016-7069 [MEDIUM] CVE-2016-7069: dnsdist - An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are... An issue has been found in dnsdist before 1.2.0 in the way EDNS0 OPT records are handled when parsing responses from a backend. When dnsdist is configured to add EDNS Client Subnet to a query, the response may contain an EDNS0 OPT record that has to be removed before forwarding the response to the initial client. On a 32-bit system, the pointer arithmetic used when