CVE-2026-40208

EUVD-2026-39347
An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OXCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
powerdnsdnsdist
1.9.0 ≤
𝑥
< 1.9.15
CNA
powerdnsdnsdist
2.0.0 ≤
𝑥
< 2.0.7
CNA
Debian logo
Debian Releases
Debian Product
Codename
dnsdist
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
1.9.15-0+deb13u1
fixed
Common Weakness Enumeration
References
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html