Home

Description

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

PUBLISHED Reserved 2026-04-08 | Published 2026-06-25 | Updated 2026-06-25 | Assigner OX




LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Improper Encoding or Escaping of Output

Product status

Default status
unaffected

1.9.0 (semver) before 1.9.15
affected

2.0.0 (semver) before 2.0.7
affected

Credits

Haruki Oyama (Waseda University) finder

References

www.dnsdist.org/...owerdns-advisory-for-dnsdist-2026-09.html

cve.org (CVE-2026-40011)

nvd.nist.gov (CVE-2026-40011)

Download JSON