CVE-2026-27853
Published: 31 March 2026
Summary
CVE-2026-27853 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds write vulnerability in DNSdist by applying vendor-provided patches as referenced in the security advisory.
Implements memory protection mechanisms such as address space randomization and stack guards to prevent exploitation of the out-of-bounds write leading to crashes.
Validates incoming DNS responses for anomalies to block crafted packets that trigger the oversized rewritten packet condition in Lua name change methods.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds write in public DNS load balancer triggered by crafted responses causes process crash; directly enables application exploitation for endpoint DoS (T1499.004).
NVD Description
An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial…
more
response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.
Deeper analysisAI
CVE-2026-27853 is an out-of-bounds write vulnerability (CWE-787) in DNSdist, a DNS load balancer. It affects instances of DNSdist that use custom Lua code invoking the DNSQuestion:changeName or DNSResponse:changeName methods. An attacker can trigger this issue by sending crafted DNS responses, which may cause the rewritten packet to exceed its initial size and surpass 65535 bytes, rated at CVSS 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). The vulnerability was published on 2026-03-31.
A remote attacker without privileges can exploit this over the network by crafting DNS responses targeted at a vulnerable DNSdist instance running the specified Lua methods. Exploitation requires high attack complexity, such as precisely manipulating response data to trigger the out-of-bounds write during name changes. Successful exploitation leads to a crash of the DNSdist process, resulting in denial of service with no impact on confidentiality or integrity.
The PowerDNS security advisory provides details on mitigation; see https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html for patches and recommended actions.
Details
- CWE(s)