CVE-2026-24030
Published: 31 March 2026
Summary
CVE-2026-24030 is a medium-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24030 affects DNSdist, a DNS load balancer and proxy software. The vulnerability enables an attacker to trick DNSdist into allocating excessive memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. This is classified as CWE-789 (Uncontrolled Memory Allocation) with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). The issue was published on 2026-03-31.
An unauthenticated attacker with network access to a vulnerable DNSdist instance can exploit this by sending malicious payloads over DNS over QUIC or HTTP/3. Exploitation typically triggers an exception that closes the QUIC connection in systems with sufficient memory, but in some cases, it leads to a system-wide out-of-memory state that terminates the DNSdist process, causing a denial of service.
The PowerDNS security advisory for dnsdist-2026-02 at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html provides further details on mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17405
Vulnerability details
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually…
more
results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing DNSdist enables remote unauthenticated exploitation leading to application DoS via uncontrolled memory allocation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing the uncontrolled memory allocation vulnerability in DNSdist by applying patches from the PowerDNS advisory.
SC-5 mandates denial-of-service protections that mitigate memory exhaustion attacks via malicious DNS over QUIC or HTTP/3 payloads targeting DNSdist.
SI-10 enforces input validation to reject malformed DNS over QUIC or HTTP/3 payloads that trick DNSdist into excessive memory allocation.