Search for packages
| purl | pkg:apk/alpine/dnsdist@2.0.4-r0?arch=armv7&distroversion=edge&reponame=community |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1mgq-74b9-4bcg | A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection. |
CVE-2026-33595
|
| VCID-3qce-a24m-yue1 | An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service. |
CVE-2026-27853
|
| VCID-744k-b7s7-kbh5 | A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default. |
CVE-2026-33599
|
| VCID-7xds-447f-qufr | A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend. |
CVE-2026-33596
|
| VCID-a65j-y7z3-fudk | A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service. |
CVE-2026-33602
|
| VCID-afun-gxhy-rbed | A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. |
CVE-2026-33593
|
| VCID-atx2-yc9p-g3c7 | An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process. |
CVE-2026-24030
|
| VCID-c7az-aw1f-4yah | When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. |
CVE-2026-24029
|
| VCID-chzq-qej6-rkdq | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
CVE-2026-33257
|
| VCID-fbsf-bbw7-kyah | PRSD detection denial of service |
CVE-2026-33597
|
| VCID-gx8g-nvhj-1kak | When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy. |
CVE-2026-0397
|
| VCID-nrex-hpxg-ekhs | A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection. |
CVE-2026-33594
|
| VCID-pfhu-1qdf-p7d5 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
CVE-2026-33260
|
| VCID-qc7c-1d8j-hfha | A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. |
CVE-2026-33598
|
| VCID-rf53-w9k3-7ych | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure. |
CVE-2026-24028
|
| VCID-szpa-skfv-bygh | An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service. |
CVE-2026-27854
|
| VCID-x5p9-vthx-tud8 | An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. |
CVE-2026-0396
|
| VCID-ytdy-s1ug-dkh7 | An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default. |
CVE-2026-33254
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-25T23:31:35.597340+00:00 | Alpine Linux Importer | Fixing | VCID-qc7c-1d8j-hfha | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:35.022795+00:00 | Alpine Linux Importer | Fixing | VCID-ytdy-s1ug-dkh7 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:34.157916+00:00 | Alpine Linux Importer | Fixing | VCID-c7az-aw1f-4yah | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:32.588786+00:00 | Alpine Linux Importer | Fixing | VCID-1mgq-74b9-4bcg | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:31.703858+00:00 | Alpine Linux Importer | Fixing | VCID-x5p9-vthx-tud8 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:31.441527+00:00 | Alpine Linux Importer | Fixing | VCID-afun-gxhy-rbed | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:31.348386+00:00 | Alpine Linux Importer | Fixing | VCID-gx8g-nvhj-1kak | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:30.029591+00:00 | Alpine Linux Importer | Fixing | VCID-7xds-447f-qufr | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:29.201053+00:00 | Alpine Linux Importer | Fixing | VCID-pfhu-1qdf-p7d5 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:28.995572+00:00 | Alpine Linux Importer | Fixing | VCID-atx2-yc9p-g3c7 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:28.530882+00:00 | Alpine Linux Importer | Fixing | VCID-3qce-a24m-yue1 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:27.196023+00:00 | Alpine Linux Importer | Fixing | VCID-chzq-qej6-rkdq | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:26.941917+00:00 | Alpine Linux Importer | Fixing | VCID-a65j-y7z3-fudk | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:26.778073+00:00 | Alpine Linux Importer | Fixing | VCID-744k-b7s7-kbh5 | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:26.615025+00:00 | Alpine Linux Importer | Fixing | VCID-szpa-skfv-bygh | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:26.305919+00:00 | Alpine Linux Importer | Fixing | VCID-nrex-hpxg-ekhs | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:26.010849+00:00 | Alpine Linux Importer | Fixing | VCID-fbsf-bbw7-kyah | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |
| 2026-04-25T23:31:25.901795+00:00 | Alpine Linux Importer | Fixing | VCID-rf53-w9k3-7ych | https://secdb.alpinelinux.org/edge/community.json | 38.4.0 |