CVE-2026-27854 — Vulnetix

CVE-2026-27854 PUBLISHED CVSS 4.800000190734863 MEDIUM

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.

EPSS 0.01% · 0.4th percentile

Risk Scores

CVSS v3.1

4.800000190734863

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

EPSS Score

0.01%

0.4th percentile

Affected Products

Vendor	Product	Versions
PowerDNS	DNSdist	1.9.0, 2.0.0

Timeline

Mar 31, 2026 CVE Published
Mar 31, 2026 Security Advisory
Apr 2, 2026 CVE Updated
May 18, 2026 EPSS Score
May 19, 2026 EPSS Score
May 20, 2026 EPSS Score
May 21, 2026 EPSS Score
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score
May 26, 2026 EPSS Score

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html url
https://nvd.nist.gov/vuln/detail/CVE-2026-27854 advisory

Open in Interactive Console →