Cyber Resilience

CVE-2026-24030

Medium

Published: 31 March 2026

Published
31 March 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0001 0.5th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24030 is a medium-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24030 affects DNSdist, a DNS load balancer and proxy software. The vulnerability enables an attacker to trick DNSdist into allocating excessive memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. This is classified as CWE-789 (Uncontrolled Memory Allocation) with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). The issue was published on 2026-03-31.

An unauthenticated attacker with network access to a vulnerable DNSdist instance can exploit this by sending malicious payloads over DNS over QUIC or HTTP/3. Exploitation typically triggers an exception that closes the QUIC connection in systems with sufficient memory, but in some cases, it leads to a system-wide out-of-memory state that terminates the DNSdist process, causing a denial of service.

The PowerDNS security advisory for dnsdist-2026-02 at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html provides further details on mitigation.

EU & UK References

Vulnerability details

An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually…

more

results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in public-facing DNSdist enables remote unauthenticated exploitation leading to application DoS via uncontrolled memory allocation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27854Same product: Powerdns Dnsdist
CVE-2026-33598Same product: Powerdns Dnsdist
CVE-2026-24028Same product: Powerdns Dnsdist
CVE-2026-27853Same product: Powerdns Dnsdist
CVE-2026-33595Same product: Powerdns Dnsdist
CVE-2026-33602Same product: Powerdns Dnsdist
CVE-2026-33597Same product: Powerdns Dnsdist
CVE-2026-33599Same product: Powerdns Dnsdist
CVE-2026-33593Same product: Powerdns Dnsdist
CVE-2026-33254Same product: Powerdns Dnsdist

Affected Assets

powerdns
dnsdist
1.9.0 — 1.9.12 · 2.0.0 — 2.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing the uncontrolled memory allocation vulnerability in DNSdist by applying patches from the PowerDNS advisory.

prevent

SC-5 mandates denial-of-service protections that mitigate memory exhaustion attacks via malicious DNS over QUIC or HTTP/3 payloads targeting DNSdist.

prevent

SI-10 enforces input validation to reject malformed DNS over QUIC or HTTP/3 payloads that trick DNSdist into excessive memory allocation.

References