CVE-2026-24030 Unbounded memory allocation for DoQ and DoH3

🗓️ 31 Mar 2026 12:01:00Reported by OXType

An attacker can trigger excessive memory use in DNSdist during DNS over QUIC or HTTP/3, causing denial of service.

Reporter	Title	Published	Views	Family All 39
FreeBSD	DNSdist -- vulnerabilities	31 Mar 202600:00	–	freebsd
ATTACKERKB	CVE-2026-24030	31 Mar 202612:01	–	attackerkb
AlpineLinux	CVE-2026-24030	31 Mar 202612:01	–	alpinelinux
Circl	CVE-2026-24030	10 Apr 202611:12	–	circl
CNNVD	PowerDNS DNSdist 安全漏洞	31 Mar 202600:00	–	cnnvd
CVE	CVE-2026-24030	31 Mar 202612:01	–	cve
Debian	[SECURITY] [DSA 6235-1] dnsdist security update	28 Apr 202619:03	–	debian
Debian CVE	CVE-2026-24030	31 Mar 202612:01	–	debiancve
Tenable Nessus	Debian dsa-6235 : dnsdist - security update	29 Apr 202600:00	–	nessus
Tenable Nessus	Fedora 44 : dnsdist (2026-519446405a)	28 Apr 202600:00	–	nessus

[
  {
    "collectionURL": "https://repo.powerdns.com/",
    "defaultStatus": "unaffected",
    "modules": [
      "Incoming DNS over QUIC",
      "Incoming DNS over HTTP/3"
    ],
    "packageName": "dnsdist",
    "product": "DNSdist",
    "programFiles": [
      "doq.cc",
      "doh3.cc"
    ],
    "repo": "https://github.com/PowerDNS/pdns",
    "vendor": "PowerDNS",
    "versions": [
      {
        "lessThan": "1.9.12",
        "status": "affected",
        "version": "1.9.0",
        "versionType": "semver"
      },
      {
        "lessThan": "2.0.3",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
dnsdist	www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html

31 Mar 2026 12:01Current

CVSS 3.15.3

EPSS0.00007