[Pdns-announce] PowerDNS DNSdist 1.9.15 and 2.0.7 Released (Security Release)

Remi Gacogne remi.gacogne at powerdns.com
Thu Jun 25 11:36:59 UTC 2026


Hi,

Today we released two new versions of DNSdist, 1.9.15 and 2.0.7, fixing 
several security issues that have been reported to us. These security 
issues are low to medium severity, and we recommend upgrading quickly.

The issues fixed in these releases are:

- CVE-2026-40011: An attacker sending a large number of crafted DNS 
queries might be able to trigger a dynamic block being inserted with a 
value causing invalid output to be produced in the prometheus endpoint. 
The prometheus endpoint will then be rejected by the scraper until the 
dynamic block expires.
- CVE-2026-42004: An attacker can send a crafted EDNS OPT record that 
will be ignored by DNSdist's filtering rules, but will be rewritten as a 
valid OPT record when EDNS Client Subnet is inserted, causing the 
backend to see the EDNS option(s) that DNSdist did not filter.
- CVE-2026-42005: An attacker can send a web request that causes 
unlimited memory allocation in the internal web server, leading to a 
denial of service. The internal web server is disabled by default.
- CVE-2026-40208: An attacker might be able to delay the processing of 
DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
- CVE-2026-40209: An attacker might be able to cause outgoing TCP 
connections to backend to be stuck until a timeout occurs instead of 
being released immediately. This could be used to cause a denial of 
service if there is a limit to the number of concurrent connections to 
this backend, or if the process runs out of file descriptors.
- CVE-2026-40210: An out-of-bounds read might happen when 
SetMacAddrAction is used, potentially resulting in uninitialized memory 
being sent over the network or a crash.
- CVE-2026-40211: An attacker can send crafted DNS over HTTP/3 queries, 
triggering an exception that prevents some buffer from being freed right 
away. The buffer will be freed at the end of the QUIC connection, but on 
some setups it might be possible to open enough concurrent DoH3 streams 
to trigger an out-of-memory condition, resulting in a denial of service.

The complete list of changes can be found in the ChangeLogs [1][2]. 
Please see the DNSdist website [3] for the current documentation. The 
upgrade guide is also available there [4]. The full security advisory 
[5] can be found on our website as well.

Please send us all feedback and issues you might have via the mailing 
list, or in case of a bug, via GitHub [6].

The release tarballs [7][8] and their signatures [9][10] are available 
on the downloads website, and packages for several distributions are 
available from our repository [11].

[1]: https://dnsdist.org/changelog.html#change-1.9.15
[2]: https://dnsdist.org/changelog.html#change-2.0.7
[3]: https://dnsdist.org
[4]: https://dnsdist.org/upgrade_guide.html
[5]: 
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html
[6]: https://github.com/PowerDNS/pdns/issues/new/choose
[7]: https://downloads.powerdns.com/releases/dnsdist-1.9.15.tar.bz2
[8]: https://downloads.powerdns.com/releases/dnsdist-1.9.15.tar.bz2.sig
[9]: https://downloads.powerdns.com/releases/dnsdist-2.0.7.tar.xz
[10]: https://downloads.powerdns.com/releases/dnsdist-2.0.7.tar.xz.sig
[11]: https://repo.powerdns.com

Best regards,
-
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-announce/attachments/20260625/cdb990a5/attachment.sig>


More information about the Pdns-announce mailing list