VulnerableCode Package Details - pkg:deb/debian/dnsdist@1.9.14-0%2Bdeb13u1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1mgq-74b9-4bcg	A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.	CVE-2026-33595
VCID-3qce-a24m-yue1	An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.	CVE-2026-27853
VCID-744k-b7s7-kbh5	A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.	CVE-2026-33599
VCID-7xds-447f-qufr	A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.	CVE-2026-33596
VCID-a65j-y7z3-fudk	A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.	CVE-2026-33602
VCID-afun-gxhy-rbed	A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.	CVE-2026-33593
VCID-atx2-yc9p-g3c7	An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.	CVE-2026-24030
VCID-c7az-aw1f-4yah	When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.	CVE-2026-24029
VCID-chzq-qej6-rkdq	An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.	CVE-2026-33257
VCID-fbsf-bbw7-kyah	PRSD detection denial of service	CVE-2026-33597
VCID-gx8g-nvhj-1kak	When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.	CVE-2026-0397
VCID-nrex-hpxg-ekhs	A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.	CVE-2026-33594
VCID-pfhu-1qdf-p7d5	An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.	CVE-2026-33260
VCID-qc7c-1d8j-hfha	A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.	CVE-2026-33598
VCID-rf53-w9k3-7ych	An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.	CVE-2026-24028
VCID-szpa-skfv-bygh	An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.	CVE-2026-27854
VCID-x5p9-vthx-tud8	An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.	CVE-2026-0396
VCID-ytdy-s1ug-dkh7	An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.	CVE-2026-33254

Vulnerability

Summary

Aliases

VCID-1mgq-74b9-4bcg

A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

CVE-2026-33595

VCID-3qce-a24m-yue1

An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.

CVE-2026-27853

VCID-744k-b7s7-kbh5

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

CVE-2026-33599

VCID-7xds-447f-qufr

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.

CVE-2026-33596

VCID-a65j-y7z3-fudk

A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.

CVE-2026-33602

VCID-afun-gxhy-rbed

A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.

CVE-2026-33593

VCID-atx2-yc9p-g3c7

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

CVE-2026-24030

VCID-c7az-aw1f-4yah

When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.

CVE-2026-24029

VCID-chzq-qej6-rkdq

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

CVE-2026-33257

VCID-fbsf-bbw7-kyah

PRSD detection denial of service

CVE-2026-33597

VCID-gx8g-nvhj-1kak

When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.

CVE-2026-0397

VCID-nrex-hpxg-ekhs

A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

CVE-2026-33594

VCID-pfhu-1qdf-p7d5

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

CVE-2026-33260

VCID-qc7c-1d8j-hfha

A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.

CVE-2026-33598

VCID-rf53-w9k3-7ych

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.

CVE-2026-24028

VCID-szpa-skfv-bygh

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.

CVE-2026-27854

VCID-x5p9-vthx-tud8

An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.

CVE-2026-0396

VCID-ytdy-s1ug-dkh7

An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.

CVE-2026-33254

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-02T04:20:30.477853+00:00	Debian Importer	Fixing	VCID-nrex-hpxg-ekhs	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T03:48:51.257190+00:00	Debian Importer	Fixing	VCID-744k-b7s7-kbh5	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T02:42:12.372184+00:00	Debian Importer	Fixing	VCID-fbsf-bbw7-kyah	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T00:45:04.435867+00:00	Debian Importer	Fixing	VCID-7xds-447f-qufr	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T00:35:48.342614+00:00	Debian Importer	Fixing	VCID-szpa-skfv-bygh	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T00:10:24.056735+00:00	Debian Importer	Fixing	VCID-pfhu-1qdf-p7d5	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-02T00:04:12.361594+00:00	Debian Importer	Fixing	VCID-x5p9-vthx-tud8	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T23:45:28.226083+00:00	Debian Importer	Fixing	VCID-1mgq-74b9-4bcg	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T23:40:29.459708+00:00	Debian Importer	Fixing	VCID-qc7c-1d8j-hfha	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T23:25:36.845788+00:00	Debian Importer	Fixing	VCID-ytdy-s1ug-dkh7	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T22:08:47.321837+00:00	Debian Importer	Fixing	VCID-chzq-qej6-rkdq	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T22:08:33.278187+00:00	Debian Importer	Fixing	VCID-rf53-w9k3-7ych	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T22:04:47.090983+00:00	Debian Importer	Fixing	VCID-atx2-yc9p-g3c7	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T22:03:01.658731+00:00	Debian Importer	Fixing	VCID-3qce-a24m-yue1	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T21:54:09.934393+00:00	Debian Importer	Fixing	VCID-afun-gxhy-rbed	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T21:53:53.117138+00:00	Debian Importer	Fixing	VCID-c7az-aw1f-4yah	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T21:48:53.178637+00:00	Debian Importer	Fixing	VCID-gx8g-nvhj-1kak	https://security-tracker.debian.org/tracker/data/json	38.6.0
2026-05-01T21:48:21.851208+00:00	Debian Importer	Fixing	VCID-a65j-y7z3-fudk	https://security-tracker.debian.org/tracker/data/json	38.6.0