CVE-2026-27854

Description

An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.

References

• https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-02.html