The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-24030

CVE-2026-24030: DNSdist DoS Vulnerability via QUIC/HTTP3

CVE-2026-24030 is a denial of service vulnerability in DNSdist that enables attackers to cause excessive memory allocation through DNS over QUIC or HTTP/3. This article covers technical details, affected versions, and mitigation.

Published: April 2, 2026

CVE-2026-24030 Overview

CVE-2026-24030 is a memory exhaustion vulnerability in DNSdist that allows remote attackers to trigger excessive memory allocation when processing DNS over QUIC (DoQ) or DNS over HTTP/3 (DoH3) payloads. This vulnerability can result in a denial of service condition, potentially causing service disruption for DNS infrastructure relying on DNSdist.

Critical Impact

Remote attackers can exhaust system memory by sending specially crafted DNS over QUIC or HTTP/3 payloads, leading to service termination and DNS resolution failures for dependent systems.

Affected Products

  • DNSdist (versions with DoQ/DoH3 support enabled)
  • Systems running DNSdist with DNS over QUIC enabled
  • Systems running DNSdist with DNS over HTTP/3 enabled

Discovery Timeline

  • 2026-03-31 - CVE-2026-24030 published to NVD
  • 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-24030

Vulnerability Analysis

This vulnerability stems from improper memory allocation handling in DNSdist when processing DNS over QUIC (DoQ) or DNS over HTTP/3 (DoH3) payloads. An attacker can craft malicious payloads that trick DNSdist into allocating excessive amounts of memory during request processing.

The behavior of the vulnerability depends on available system resources. In environments with substantial memory capacity, the excessive allocation typically triggers an exception that results in the QUIC connection being properly closed. However, in systems with limited memory or under heavy load, the uncontrolled memory allocation can push the system into an out-of-memory (OOM) state, causing the kernel's OOM killer to terminate the DNSdist process entirely.

This vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value), indicating that the application fails to properly validate or limit the size of memory allocations based on attacker-controlled input.

Root Cause

The root cause of this vulnerability lies in insufficient validation of memory allocation requests during DNS over QUIC and DNS over HTTP/3 payload processing. DNSdist fails to properly constrain the amount of memory that can be allocated based on incoming request data, allowing attackers to specify or trigger allocations that exceed reasonable bounds.

The QUIC and HTTP/3 protocol handlers do not adequately validate payload sizes or implement proper limits on memory consumption during request parsing and processing stages. This allows specially crafted payloads to consume disproportionate amounts of server memory relative to the request size.

Attack Vector

The attack is network-based and requires no authentication or user interaction, making it accessible to any attacker who can reach the DNSdist service over the network. The attacker sends specially crafted DNS queries using either the QUIC or HTTP/3 protocols to the vulnerable DNSdist instance.

The attack flow involves:

  1. Establishing a QUIC or HTTP/3 connection to the target DNSdist server
  2. Sending malformed or oversized payload data designed to trigger excessive memory allocation
  3. Repeating the attack to amplify memory consumption until the target reaches an OOM condition
  4. The DNSdist process crashes or is terminated by the system's OOM killer

The vulnerability is particularly impactful because DNS infrastructure is critical for network operations, and service interruption can cascade to affect all dependent services.

Detection Methods for CVE-2026-24030

Indicators of Compromise

  • Sudden spikes in DNSdist process memory consumption without corresponding legitimate traffic increases
  • DNSdist process crashes or restarts correlated with unusual QUIC/HTTP3 traffic patterns
  • OOM killer events in system logs referencing the DNSdist process
  • Abnormal connection patterns on DoQ (typically port 853/UDP) or DoH3 endpoints

Detection Strategies

  • Monitor DNSdist process memory utilization and alert on rapid growth or values exceeding baseline thresholds
  • Implement network-level monitoring for unusual volumes of QUIC or HTTP/3 traffic to DNS endpoints
  • Configure process monitoring to detect unexpected DNSdist restarts or crashes
  • Review system logs for OOM killer invocations targeting DNS-related processes

Monitoring Recommendations

  • Set up memory threshold alerts for DNSdist processes with appropriate baselines for your environment
  • Enable detailed logging for DoQ and DoH3 connections to identify potential attack sources
  • Implement rate limiting on QUIC and HTTP/3 connections at the network perimeter
  • Monitor for connection anomalies such as high connection rates from single sources or unusual payload sizes

How to Mitigate CVE-2026-24030

Immediate Actions Required

  • Apply the latest security patches from PowerDNS as detailed in the DNSdist Security Advisory 2026-02
  • If patching is not immediately possible, consider temporarily disabling DNS over QUIC and DNS over HTTP/3 features
  • Implement network-level rate limiting for incoming QUIC and HTTP/3 connections
  • Ensure adequate monitoring is in place to detect memory exhaustion conditions

Patch Information

PowerDNS has released a security advisory addressing this vulnerability. Administrators should review the DNSdist Security Advisory 2026-02 for specific patch details and affected version information. Update DNSdist to the latest patched version recommended in the advisory.

Workarounds

  • Disable DNS over QUIC (DoQ) functionality if not required by setting the appropriate configuration options
  • Disable DNS over HTTP/3 (DoH3) functionality if not required in favor of DoH over HTTP/2 or traditional DNS
  • Implement strict connection rate limiting at the firewall or load balancer level for QUIC traffic
  • Configure system-level memory limits for the DNSdist process using cgroups to contain potential memory exhaustion
  • Deploy DNSdist behind a reverse proxy that can filter or limit malicious payloads
bash
# Example: Configure memory limits using systemd (if running DNSdist as a service)
# Edit /etc/systemd/system/dnsdist.service.d/limits.conf
[Service]
MemoryMax=2G
MemoryHigh=1.5G

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechDnsdist
  • SeverityMEDIUM
  • CVSS Score5.3
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-789
  • Technical References
  • DNSdist Security Advisory 2026-02
  • Related CVEs
  • CVE-2026-27853: DNSdist DOS Vulnerability
  • CVE-2025-30193: DNSdist TCP Stack Exhaustion DoS Vulnerability
  • CVE-2026-27854: DNSdist Use-After-Free Vulnerability
  • CVE-2026-0396: DNSdist XSS Vulnerability via DNS Queries
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English