Primary

Context

PowerDNS DNSdist TCP Backend Stream ID Overflow Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in PowerDNS DNSdist versions through 2.0.3 and 1.9.12. This issue arises when a client sends a flood of perfectly timed queries to a TCP-only or DNS over TLS backend, causing a mismatch between the queries sent and the responses received. As a result, the server may become overwhelmed, leading to service disruption.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by creating a mismatch between sent queries and received responses, potentially overwhelming the server.

Remediation

Users can upgrade to PowerDNS DNSdist versions 1.9.13 or 2.0.4, where this vulnerability has been patched. Alternatively, do not route queries to TCP-only or DNS over TLS backends.

Added: Apr 22, 2026, 2:29 PM

Updated: Apr 22, 2026, 2:29 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.0

remediation

7.9

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.5

exploitability

5.0

remediation

7.9

relevance

6.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS DNSdist TCP Backend Stream ID Overflow Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

PowerDNS DNSdist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating