We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-30194

Denial of service via crafted DoH exchange



Description

When DNSdist is configured to provide DoH via the nghttp2 provider, an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist, causing a denial of service. The remedy is: upgrade to the patched 1.9.9 version. A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version. We would like to thank Charles Howes for bringing this issue to our attention.

Reserved 2025-03-18 | Published 2025-04-29 | Updated 2025-04-29 | Assigner OX


HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-416 User After Free

Product status

Default status
unaffected

1.9.0 before 1.9.9
affected

Credits

Charles Howes finder

References

dnsdist.org/...es/powerdns-advisory-for-dnsdist-2025-02.html

cve.org (CVE-2025-30194)

nvd.nist.gov (CVE-2025-30194)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-30194

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.