CVE-2026-42004

EUVD-2026-39351
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OXCNA
3.7 LOW
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
powerdnsdnsdist
1.9.0 ≤
𝑥
< 1.9.15
CNA
powerdnsdnsdist
2.0.0 ≤
𝑥
< 2.0.7
CNA
Debian logo
Debian Releases
Debian Product
Codename
dnsdist
bookworm
vulnerable
bullseye
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
1.9.15-0+deb13u1
fixed
Common Weakness Enumeration
References
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html