Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33594

CVE-2026-33594: DoH Backend Denial of Service Vulnerability

CVE-2026-33594 is a denial of service flaw affecting DoH backends that allows attackers to trigger excessive memory allocation through query accumulation. This article covers technical details, affected systems, and mitigation.

Published:

CVE-2026-33594 Overview

CVE-2026-33594 is a memory exhaustion vulnerability affecting DNSdist, a DNS load balancer and traffic manager. The vulnerability allows a malicious client to trigger excessive memory allocation by generating a high volume of queries routed to an overloaded DNS-over-HTTPS (DoH) backend. When the backend becomes overwhelmed, queries accumulate in a buffer that is not released until the connection terminates, potentially leading to denial of service conditions.

Critical Impact

Attackers can exploit this vulnerability to cause memory exhaustion on DNSdist servers by overwhelming DoH backends with queries, resulting in service degradation or denial of service.

Affected Products

Discovery Timeline

  • 2026-04-22 - CVE-2026-33594 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-33594

Vulnerability Analysis

This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in how DNSdist handles query buffering when communicating with DoH backends that become unresponsive or overloaded.

Under normal operation, DNSdist forwards DNS queries to configured backends and manages response handling efficiently. However, when a DoH backend becomes overwhelmed and cannot process queries at the expected rate, incoming queries from clients continue to be accepted and buffered in memory. The problematic behavior is that this buffer grows without bounds and is not released until the client connection is terminated.

An attacker can exploit this by establishing a long-lived connection to the DNSdist server and continuously generating queries directed at a backend that is either intentionally overloaded or naturally struggling under load. As queries accumulate in the buffer without being processed or released, memory consumption on the DNSdist server increases progressively.

Root Cause

The root cause is the absence of proper resource limits on the query buffer used for DoH backend communications. The implementation fails to enforce memory allocation boundaries or implement timeout mechanisms that would release buffered queries when backends are unresponsive. This allows unbounded memory growth tied to the lifetime of individual client connections.

Attack Vector

The attack is network-based and requires no authentication or privileges. An attacker can remotely target a DNSdist server by:

  1. Establishing a connection to the DNSdist service
  2. Identifying or inducing conditions where DoH backends are overloaded
  3. Continuously sending DNS queries through the connection
  4. Maintaining the connection to prevent buffer release
  5. Repeating with multiple connections to accelerate memory exhaustion

The attack complexity is low as it requires only the ability to send DNS queries to the target server. The vulnerability affects availability without impacting confidentiality or integrity.

Detection Methods for CVE-2026-33594

Indicators of Compromise

  • Unusual memory growth on DNSdist server processes without corresponding increase in legitimate traffic
  • Long-lived client connections with high query volumes to DoH backends
  • DoH backend response latency spikes or timeout increases
  • Memory exhaustion alerts or out-of-memory conditions on DNSdist servers

Detection Strategies

  • Monitor DNSdist process memory consumption and alert on abnormal growth patterns
  • Track connection duration and query volume per client to identify anomalous behavior
  • Implement logging for DoH backend response times and queue depths
  • Configure alerting for memory utilization thresholds on DNS infrastructure

Monitoring Recommendations

  • Enable detailed metrics collection for DNSdist buffer usage and memory allocation
  • Deploy network traffic analysis to detect high-volume query patterns from single sources
  • Establish baseline metrics for normal DoH backend latency and response rates
  • Implement connection rate limiting and monitoring at the network perimeter

How to Mitigate CVE-2026-33594

Immediate Actions Required

  • Review the DNSdist Security Advisory for specific patch information
  • Apply vendor-provided security updates to affected DNSdist installations
  • Implement connection limits and rate limiting for incoming DNS queries
  • Monitor memory utilization on DNSdist servers for signs of exploitation

Patch Information

PowerDNS has released a security advisory addressing this vulnerability. Administrators should consult the DNSdist Security Advisory for detailed patch information and upgrade instructions for their specific DNSdist version.

Workarounds

  • Configure connection timeouts to terminate long-lived idle or low-activity connections
  • Implement rate limiting rules to restrict query volume per client connection
  • Deploy memory limits for DNSdist processes using container constraints or system resource limits
  • Consider temporarily disabling DoH backend routing if immediate patching is not possible
  • Add upstream load balancing to distribute DoH traffic across multiple backend servers
bash
# Example: Configure system-level memory limits for dnsdist process
# Using systemd service override
sudo systemctl edit dnsdist.service

# Add memory limit configuration
[Service]
MemoryMax=2G
MemoryHigh=1.5G

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.