Primary

Context

PowerDNS DNSdist Use-After-Free Vulnerability in EDNS Options Parsing via Lua

Vulnerability

Patched

A use-after-free vulnerability has been identified in PowerDNS DNSdist versions 1.9.0 prior to 1.9.11 and 2.0.0 prior to 2.0.2. The issue arises when the DNSQuestion:getEDNSOptions method is used in custom Lua code, allowing an attacker to send crafted DNS queries that could refer to a modified version of the DNS packet. This manipulation can trigger a use-after-free condition, potentially leading to a crash and causing a denial-of-service situation.

Impact

Exploitation of this vulnerability can cause a crash of the DNSdist process, leading to a denial-of-service condition.

Remediation

Users can upgrade to PowerDNS DNSdist versions 1.9.12 or 2.0.3, where this vulnerability has been patched. Alternatively, the DNSQuestion:getEDNSOptions method can be avoided in custom Lua code.

Added: Mar 31, 2026, 12:29 PM

Updated: Mar 31, 2026, 12:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.9

relevance

5.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

7.6

remediation

7.9

relevance

5.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS DNSdist Use-After-Free Vulnerability in EDNS Options Parsing via Lua

Vulnerability

Impact

Remediation

Affected Products

PowerDNS DNSdist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating