CVE-2026-40209

EUVD-2026-39348
An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OXCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
powerdnsdnsdist
1.9.0 ≤
𝑥
< 1.9.15
CNA
powerdnsdnsdist
2.0.0 ≤
𝑥
< 2.0.7
CNA
Debian logo
Debian Releases
Debian Product
Codename
dnsdist
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
1.9.15-0+deb13u1
fixed
Common Weakness Enumeration
References
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html