Description

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.

Severity (CVSS)

Base score3.7
SeverityLow
VersionCVSS 3.1
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Provided byCNA

Weaknesses

  • — Misinterpretation of Input
  • CWE-115 — CWE-115 Misinterpretation of Input

Affected products

VendorProductVersions
PowerDNSDNSdist1.9.0 to <1.9.15; 2.0.0 to <2.0.7

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 26 Jun 2026 07:05 UTC.