Primary

Context

PowerDNS DNSdist Unbounded Memory Allocation Vulnerability in DNS over QUIC and HTTP/3

Vulnerability

Patched

A denial-of-service vulnerability has been identified in PowerDNS DNSdist versions 1.9.0 prior to 1.9.11 and 2.0.0 prior to 2.0.2. The issue arises from improper handling of DNS over QUIC (DoQ) and DNS over HTTP/3 (DoH3) payloads, which can lead to excessive memory allocation. In environments with ample memory, this typically causes an exception and a proper closure of the QUIC connection. However, in some instances, the system may run out of memory and terminate the process.

Impact

Exploitation of this vulnerability can cause the DNSdist process to be terminated due to an out-of-memory condition, disrupting service.

Remediation

Users are advised to upgrade to PowerDNS DNSdist version 1.9.12 or 2.0.3, both of which include the necessary patch. Instructions for upgrading can be found in the PowerDNS DNSdist upgrade guide.

Added: Mar 31, 2026, 12:30 PM

Updated: Mar 31, 2026, 12:30 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

8.3

remediation

8.3

relevance

5.0

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

8.3

remediation

8.3

relevance

5.0

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS DNSdist Unbounded Memory Allocation Vulnerability in DNS over QUIC and HTTP/3

Vulnerability

Impact

Remediation

Affected Products

PowerDNS DNSdist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating