Cyber Posture

CVE-2026-40719

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 4.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40719 is a high-severity Always-Incorrect Control Flow Implementation (CWE-670) vulnerability in Samiam (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 4.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

Directly protects the DNS resolver from denial-of-service attacks that exhaust connection slots via repeated failed resolutions to unresolvable nameservers.

SC-6 Resource Availability good match
prevent

Ensures availability of connection slots and other resources by implementing allocation methods to prevent exhaustion from crafted DNS queries targeting problematic zones.

SI-2 Flaw Remediation good match
prevent

Remediates the specific flaw in MaraDNS Deadwood 3.5.0036 by identifying, testing, and deploying patches to eliminate the resource exhaustion vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

The vulnerability enables remote attackers to trigger resource exhaustion (connection slots) in the DNS resolver via crafted queries for unresolvable zones, directly facilitating Application Exhaustion Flood for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Deadwood in MaraDNS 3.5.0036 allows attackers to exhaust connection slots via a zone whose authoritative nameserver address cannot be resolved.

Deeper analysisAI

CVE-2026-40719 affects the Deadwood component in MaraDNS version 3.5.0036, where attackers can exhaust connection slots by targeting a zone whose authoritative nameserver address cannot be resolved. This vulnerability, published on 2026-04-15, carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-670, indicating a resource exhaustion issue stemming from repeated failed resolution attempts.

Remote attackers require no privileges, authentication, or user interaction to exploit this flaw over the network with low complexity. By sending crafted DNS queries for the problematic zone, they trigger Deadwood to continually attempt connections to the unresolvable nameserver address, depleting available connection slots and causing a denial-of-service condition that impairs the DNS server's availability.

Mitigation details are outlined in the MaraDNS GitHub security advisory (GHSA-cfc6-vhrv-62cj) and the project changelog, accessible at https://github.com/samboy/MaraDNS/security/advisories/GHSA-cfc6-vhrv-62cj and https://maradns.samiam.org/changelog.html, respectively.

Details

CWE(s)
CWE-670

Affected Products

Samiam
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-26267Shared CWE-670
CVE-2025-21607Shared CWE-670
CVE-2025-43359Shared CWE-670
CVE-2026-40960Shared CWE-670
CVE-2026-33011Shared CWE-670
CVE-2025-58136Shared CWE-670
CVE-2026-40200Shared CWE-670
CVE-2026-40394Shared CWE-670
CVE-2026-40396Shared CWE-670
CVE-2026-35414Shared CWE-670

References