CVE-2026-24030 PUBLISHED

Unbounded memory allocation for DoQ and DoH3

Assigner: OX
Reserved: 20.01.2026 Published: 31.03.2026 Updated: 31.03.2026

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	PowerDNS
Product	DNSdist
Versions	Default: unaffected affected from 1.9.0 to 1.9.12 (excl.) affected from 2.0.0 to 2.0.3 (excl.)

Credits

XavLimSG finder

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

Problem Types

Uncontrolled Memory Allocation CWE