CVE-2026-40211

NameCVE-2026-40211
DescriptionAn attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6367-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsdist (PTS)bullseye1.5.1-3vulnerable
bookworm1.7.3-2vulnerable
trixie (security), trixie1.9.15-0+deb13u1fixed
forky, sid2.1.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnsdistsourcebullseye(unfixed)end-of-life
dnsdistsourcebookworm(unfixed)end-of-life
dnsdistsourcetrixie1.9.15-0+deb13u1DSA-6367-1
dnsdistsource(unstable)2.1.0-1

Notes

[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-40211-denial-of-service-via-crafted-doh3-queries

Search for package or bug name: Reporting problems