Primary

Context

PowerDNS DNSdist Out-of-Bounds Read Vulnerability in Service Discovery SVCB Response Handling

Vulnerability

Patched

An out-of-bounds read vulnerability has been identified in PowerDNS DNSdist versions through 2.0.3 and 1.9.12. This issue arises when a rogue backend sends a crafted SVCB response to a Discovery of Designated Resolvers request, specifically when the autoUpgrade option in Lua or the auto_upgrade setting in YAML is enabled. The vulnerability can lead to a denial-of-service condition, as the crafted response causes memory allocation issues that can be exploited to disrupt normal service operation.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by leading to excessive memory allocation, which can disrupt normal service operations and cause the application to become unresponsive.

Remediation

Users can upgrade to PowerDNS DNSdist versions 1.9.13 or 2.0.4, where this vulnerability has been patched. Alternatively, the Discovery of Designated Resolvers feature can be disabled.

Added: Apr 22, 2026, 2:27 PM

Updated: Apr 22, 2026, 2:27 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

7.6

remediation

7.9

relevance

6.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

7.6

remediation

7.9

relevance

6.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS DNSdist Out-of-Bounds Read Vulnerability in Service Discovery SVCB Response Handling

Vulnerability

Impact

Remediation

Affected Products

PowerDNS DNSdist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating