Cyber Posture

CVE-2026-24028

Medium

Published: 31 March 2026

Published
31 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0001 0.8th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24028 is a medium-severity Buffer Over-read (CWE-126) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation through patching dnsdist per the PowerDNS advisory directly eliminates the out-of-bounds read vulnerability exploited by crafted DNS response packets.

SI-16 Memory Protection good match
prevent

Memory protection mechanisms such as address space layout randomization and stack canaries prevent out-of-bounds reads from accessing unrelated memory or causing exploitable crashes.

SI-10 Information Input Validation partial match
prevent

Information input validation ensures crafted DNS packets are checked for validity before processing by custom Lua code using newDNSPacketOverlay, mitigating malformed inputs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct network exploitation of public-facing dnsdist DNS load balancer via crafted packets matches T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service,…

more

or access unrelated memory, leading to potential information disclosure.

Deeper analysisAI

CVE-2026-24028 is an out-of-bounds read vulnerability (CWE-126) affecting dnsdist, the DNS load balancer from PowerDNS. The issue arises when custom Lua code in dnsdist uses the newDNSPacketOverlay function to parse DNS packets, enabling an attacker to trigger the vulnerability by sending a crafted DNS response packet. Published on 2026-03-31, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity primarily due to low-impact availability effects.

An unauthenticated attacker with network access to the dnsdist instance can exploit this by transmitting a specially crafted DNS response packet. Successful exploitation triggers an out-of-bounds read, which may cause a crash resulting in denial of service or allow access to unrelated memory, potentially leading to information disclosure.

Mitigation details are provided in the official PowerDNS security advisory for dnsdist at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html.

Details

CWE(s)
CWE-126

Affected Products

powerdns
dnsdist
1.9.0 — 1.9.12 · 2.0.0 — 2.0.3

CVEs Like This One

CVE-2026-27854Same product: Powerdns Dnsdist
CVE-2026-33598Same product: Powerdns Dnsdist
CVE-2026-24030Same product: Powerdns Dnsdist
CVE-2026-33254Same product: Powerdns Dnsdist
CVE-2026-33593Same product: Powerdns Dnsdist
CVE-2026-33597Same product: Powerdns Dnsdist
CVE-2026-33602Same product: Powerdns Dnsdist
CVE-2026-33595Same product: Powerdns Dnsdist
CVE-2026-33599Same product: Powerdns Dnsdist
CVE-2026-33594Same product: Powerdns Dnsdist

References