PowerDNS Security Advisory 2026-04 for DNSdist: Multiple Issues Vulnerability Overview This security advisory addresses PowerDNS DNSdist software and discloses multiple security vulnerabilities, primarily involving insufficient input validation in the internal web server, resource exhaustion, out-of-bounds access, and memory allocation issues. Impact Scope Affected Versions: PowerDNS DNSdist 2.0.3 and later, as well as 1.9.12 and later. Unaffected Versions: PowerDNS DNSdist 1.9.13, 2.0.4. Remediation General Solution: Upgrade to patched versions (1.9.13, 2.0.4). Specific Configuration Recommendations: Disable the internal web server (disabled by default). Restrict the internal web server to trusted clients only. Disable DoQ or DoH3 connections. Disable DDR (Discovery of Designated Resolvers). Avoid using Lua code calls such as or . Detailed Vulnerability List 1. CVE-2026-33257 & CVE-2026-33260: Insufficient Input Validation in Internal Web Server Description: An attacker can trigger this issue by sending specially crafted HTTP requests, causing the internal web server to allocate memory indefinitely, leading to denial of service (DoS). Risk: Denial of Service. Remediation: Upgrade to patched version or block network access to the web server. 2. CVE-2026-33254: Resource Exhaustion via DoQ/DoH3 Connections Description: An attacker can open a large number of DoQ or DoH3 connections, causing unlimited memory allocation and denial of service. Risk: Denial of Service. Remediation: Upgrade to patched version or disable DoQ and DoH3. 3. CVE-2026-33602: Out-of-Bounds Access When Processing Malformed UDP Responses Description: A malicious backend can send a specially crafted UDP response that causes the query ID to deviate from the maximum configured value of 1, triggering an out-of-bounds write and resulting in denial of service. Risk: Denial of Service. Remediation: Upgrade to patched version. 4. CVE-2026-33599: Out-of-Bounds Read in Service Discovery Description: A malicious backend can send a specially crafted SVCB response, causing an out-of-bounds read when requested via the (Lua) or (YAML) options. Risk: Denial of Service. Remediation: Upgrade to patched version or disable DDR. 5. CVE-2026-33598: Out-of-Bounds Read During Cache Check via Lua Description: A specially crafted cached response can cause an out-of-bounds read, provided custom Lua code calls or . Risk: Denial of Service. Remediation: Upgrade to patched version or avoid using the above Lua functions. 6. CVE-2026-33597: PRSD Detection Denial of Service Description: A specially crafted query containing invalid DNS labels can prevent the PRSD detection algorithm executed via or . Risk: Denial of Service. Remediation: Upgrade to patched version. 7. CVE-2026-33596: TCP Backend Stream ID Overflow Description: A client can send perfectly timed queries (routed to TCP-only or DNS over TLS backends), causing a mismatch between query transmission and response reception, leading to overflow. Risk: Denial of Service. Remediation: Upgrade to patched version. 8. CVE-2026-33595: Excessive Memory Allocation in DoQ/DoH3 Description: A client can generate a large number of error responses on a single DoQ or DoH3 connection, triggering excessive memory allocation because resources are not properly released at connection termination. Risk: Denial of Service. Remediation: Upgrade to patched version or disable DoQ and DoH3. 9. CVE-2026-33594: Excessive Memory Allocation in Outbound DoH Description: Similar to CVE-2026-33595, involves memory allocation issues with outbound DoH connections. Risk: Denial of Service. Remediation: Upgrade to patched version. (Note: The screenshot on the page did not contain specific PoC or exploit code, only vulnerability descriptions and remediation recommendations.)