CVE-2026-40011 PUBLISHED

Prometheus denial of service via crafted DNS queries

Assigner: OX
Reserved: 08.04.2026 Published: 25.06.2026 Updated: 25.06.2026

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 3.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	PowerDNS
Product	DNSdist
Versions	Default: unaffected affected from 1.9.0 to 1.9.15 (excl.) affected from 2.0.0 to 2.0.7 (excl.)

Credits

Haruki Oyama (Waseda University) finder

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html

Problem Types

Improper Encoding or Escaping of Output CWE