The DNSdist team reports:
- CVE-2026-40011: Prometheus denial of service via crafted DNS queries
- CVE-2026-42004: EDNS options smuggling
- CVE-2026-42005: Insufficient input validation of internal web server
- CVE-2026-40208: Denial of service via DoH3 queries
- CVE-2026-40209: Denial of service via IXFR queries
- CVE-2026-40210: Out-of-bounds read in SetMacAddrAction
- CVE-2026-40211: Denial of service via crafted DoH3 queries
Thanks to people below for reporting these vulnerabilities.
- Haruki Oyama (Waseda University)
- Vitaly Simonovich
- ilya rozentsvaig
- ylwango613
- Qifan Zhang (Palo Alto Networks)
- Mehtab Zafar