oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

PowerDNS Security Advisory 2026-02 for DNSdist: Multiple issues

From: Remi Gacogne <remi.gacogne () powerdns com>
Date: Tue, 31 Mar 2026 14:12:28 +0200
Hi all,
Today we released two new versions of DNSdist, 1.9.12 and 2.0.3, fixing several security issues that have been reported to us. These security issues are low-severity or involve unusual configurations. 

The issues fixed in these releases are:
- CVE-2026-0396: An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either "DynBlockRulesGroup:setSuffixMatchRule" or "DynBlockRulesGroup:setSuffixMatchRuleFFI" - CVE-2026-0397: When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard - CVE-2026-24028: An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses "newDNSPacketOverlay" to parse DNS packets - CVE-2026-24029: When the "early_acl_drop" ("earlyACLDrop" in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the "nghttp2" provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL - CVE-2026-24030: An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in denial of service - CVE-2026-27853: An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the "DNSQuestion:changeName" or "DNSResponse:changeName" methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service - CVE-2026-27854: Denial of service when using DNSQuestion:getEDNSOptions method in custom Lua code
The full security advisory can be found at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html
Minimal patches can be found at https://downloads.powerdns.com/patches/2026-02/ 

Please feel free to contact me directly if you have any question.

Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: