CVE-2026-40211 | An attacker can send crafted DNS over HTTP/3 queries, trigge… | CVSS 5.3 MEDIUM

Description

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

Metadata

CVE ID: CVE-2026-40211
State: PUBLISHED
Assigner: OX
Reserved: 2026-04-10 07:11 UTC
Published: 2026-06-25 12:23 UTC
Last updated: 2026-06-25 13:45 UTC
Primary CWE: CWE-770
CWE-770 Allocation of Resources Without Limits or Throttling
Vendor / Product: PowerDNS / DNSdist
Sources: cve.org · NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
PowerDNS	DNSdist	—	1.9.0 < 1.9.15, 2.0.0 < 2.0.7

Weakness (CWE)

CWE	Source	Description
—	cna	Allocation of Resources Without Limits or Throttling
CWE-770	adp	CWE-770 Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References (1)

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html