CVE-2026-40011

EUVD-2026-39346
An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OXCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
powerdnsdnsdist
1.9.0 ≤
𝑥
< 1.9.15
CNA
powerdnsdnsdist
2.0.0 ≤
𝑥
< 2.0.7
CNA
Debian logo
Debian Releases
Debian Product
Codename
dnsdist
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
1.9.15-0+deb13u1
fixed
Common Weakness Enumeration
References
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html