Home

Description

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.

PUBLISHED Reserved 2026-04-23 | Published 2026-06-25 | Updated 2026-06-25 | Assigner OX




LOW: 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

Misinterpretation of Input

Product status

Default status
unaffected

1.9.0 (semver) before 1.9.15
affected

2.0.0 (semver) before 2.0.7
affected

Credits

Vitaly Simonovich finder

References

www.dnsdist.org/...owerdns-advisory-for-dnsdist-2026-09.html

cve.org (CVE-2026-42004)

nvd.nist.gov (CVE-2026-42004)

Download JSON