CVE-2025-30194 Information

Description

When DNSdist is configured to provide DoH via the nghttp2 provider an attacker can cause a denial of service by crafting a DoH exchange that triggers an illegal memory access (double-free) and crash of DNSdist causing a denial of service.

The remedy is: upgrade to the patched 1.9.9 version.

A workaround is to temporarily switch to the h2o provider until DNSdist has been upgraded to a fixed version.

We would like to thank Charles Howes for bringing this issue to our attention.

Reference

http://www.openwall.com/lists/oss-security/2025/04/29/1 https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2025-02.html