CVE-2026-24030
Published: 31 March 2026
Summary
CVE-2026-24030 is a medium-severity Memory Allocation with Excessive Size Value (CWE-789) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the uncontrolled memory allocation vulnerability in DNSdist by applying patches from the PowerDNS advisory.
SC-5 mandates denial-of-service protections that mitigate memory exhaustion attacks via malicious DNS over QUIC or HTTP/3 payloads targeting DNSdist.
SI-10 enforces input validation to reject malformed DNS over QUIC or HTTP/3 payloads that trick DNSdist into excessive memory allocation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing DNSdist enables remote unauthenticated exploitation leading to application DoS via uncontrolled memory allocation.
NVD Description
An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually…
more
results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
Deeper analysisAI
CVE-2026-24030 affects DNSdist, a DNS load balancer and proxy software. The vulnerability enables an attacker to trick DNSdist into allocating excessive memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. This is classified as CWE-789 (Uncontrolled Memory Allocation) with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). The issue was published on 2026-03-31.
An unauthenticated attacker with network access to a vulnerable DNSdist instance can exploit this by sending malicious payloads over DNS over QUIC or HTTP/3. Exploitation typically triggers an exception that closes the QUIC connection in systems with sufficient memory, but in some cases, it leads to a system-wide out-of-memory state that terminates the DNSdist process, causing a denial of service.
The PowerDNS security advisory for dnsdist-2026-02 at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html provides further details on mitigation.
Details
- CWE(s)