Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (11)
| Vulnerability |
Summary |
Aliases |
|
VCID-1mgq-74b9-4bcg
|
A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.
|
CVE-2026-33595
|
|
VCID-744k-b7s7-kbh5
|
A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.
|
CVE-2026-33599
|
|
VCID-7xds-447f-qufr
|
A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.
|
CVE-2026-33596
|
|
VCID-a65j-y7z3-fudk
|
A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
|
CVE-2026-33602
|
|
VCID-afun-gxhy-rbed
|
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
|
CVE-2026-33593
|
|
VCID-chzq-qej6-rkdq
|
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
|
CVE-2026-33257
|
|
VCID-fbsf-bbw7-kyah
|
PRSD detection denial of service
|
CVE-2026-33597
|
|
VCID-nrex-hpxg-ekhs
|
A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
|
CVE-2026-33594
|
|
VCID-pfhu-1qdf-p7d5
|
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
|
CVE-2026-33260
|
|
VCID-qc7c-1d8j-hfha
|
A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.
|
CVE-2026-33598
|
|
VCID-ytdy-s1ug-dkh7
|
An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
|
CVE-2026-33254
|