CVE-2026-33595 Overview
CVE-2026-33595 is a Resource Exhaustion vulnerability affecting DNSDist that allows remote attackers to trigger excessive memory allocation. The vulnerability exists in the handling of DNS-over-QUIC (DoQ) and DNS-over-HTTP/3 (DoH3) connections, where error responses are not properly released until the connection terminates. A malicious client can exploit this flaw by generating a large number of error responses over a single connection, causing memory resources to accumulate and potentially leading to denial of service conditions.
Critical Impact
Remote attackers can exhaust server memory resources by generating excessive error responses over DoQ and DoH3 connections, potentially causing service disruption without requiring authentication.
Affected Products
- DNSDist (DoQ and DoH3 implementations)
Discovery Timeline
- April 22, 2026 - CVE-2026-33595 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-33595
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The core issue lies in improper resource management within DNSDist's DNS-over-QUIC and DNS-over-HTTP/3 connection handlers. When processing requests that generate error responses, certain memory resources are allocated but not properly released during the connection lifecycle. Instead, these resources persist until the connection is fully terminated.
The attack can be executed remotely over the network without any authentication requirements or user interaction. While the vulnerability does not compromise data confidentiality or integrity, it poses a risk to service availability by enabling memory exhaustion attacks.
Root Cause
The root cause stems from improper resource lifecycle management in DNSDist's DoQ and DoH3 protocol implementations. When error responses are generated, associated memory allocations are not freed incrementally but are held until connection closure. This design flaw allows resources to accumulate unboundedly during long-lived connections, creating a memory leak scenario that can be deliberately triggered by attackers.
Attack Vector
An attacker can exploit this vulnerability by establishing a persistent DoQ or DoH3 connection to a vulnerable DNSDist server and then sending a stream of malformed or invalid DNS queries that trigger error responses. Since the resources associated with these error responses are not released until the connection ends, each error response contributes to growing memory consumption.
The attack requires only network access to the target DNS server's DoQ (typically UDP port 853) or DoH3 endpoints. No authentication or special privileges are needed, making this vulnerability easily exploitable by any remote attacker who can reach the DNS service.
For detailed technical information about the vulnerability mechanism, refer to the DNSDist Security Advisory.
Detection Methods for CVE-2026-33595
Indicators of Compromise
- Unusual memory growth patterns in DNSDist processes during periods of DoQ/DoH3 activity
- Single client connections generating an abnormally high number of DNS error responses
- Memory utilization trending upward without corresponding increases in legitimate DNS query volume
- Long-lived DoQ or DoH3 connections from suspicious source IP addresses
Detection Strategies
- Monitor DNSDist process memory consumption and alert on sustained growth patterns
- Implement logging and analysis of DNS error response rates per connection
- Track connection duration metrics for DoQ and DoH3 sessions to identify anomalous long-lived connections
- Deploy network monitoring to detect high volumes of malformed DNS queries from single sources
Monitoring Recommendations
- Configure memory usage thresholds and alerting for DNSDist services
- Enable detailed connection logging for DoQ and DoH3 protocols to track error response patterns
- Implement rate monitoring for DNS error responses correlated with source IP and connection metadata
- Set up automated alerts for connections that persist beyond expected durations while generating errors
How to Mitigate CVE-2026-33595
Immediate Actions Required
- Review the DNSDist Security Advisory for the latest patch information
- Apply available security updates to DNSDist installations as soon as they become available
- Consider implementing connection-level rate limiting for DoQ and DoH3 protocols
- Monitor memory utilization on DNSDist servers for signs of exploitation
Patch Information
Security patches and remediation guidance are provided in the official DNSDist Security Advisory. Organizations should prioritize updating to patched versions of DNSDist that properly release resources during error response handling.
Workarounds
- Implement connection-level rate limiting to restrict the number of queries per DoQ/DoH3 connection
- Configure maximum connection duration limits to force periodic connection re-establishment
- Deploy resource quotas or cgroups to limit DNSDist process memory consumption
- Consider temporarily disabling DoQ and DoH3 endpoints if they are not critical to operations while awaiting patches
# Example configuration to limit connection parameters (adjust based on your DNSDist version)
# Consult DNSDist documentation for current syntax
# Set maximum number of queries per connection
setMaxQueriesPerConnection(1000)
# Configure connection idle timeout (in seconds)
setDoHConnectionIdleTimeout(30)
# Enable resource monitoring
setVerboseHealthChecks(true)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
