CVE-2026-40011

Summary

An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.

Affected Software

VendorProductVersion RangeStatus
PowerDNSDNSdist1.9.0 < 1.9.15affected
PowerDNSDNSdist2.0.0 < 2.0.7affected

Weaknesses

  • Improper Encoding or Escaping of Output

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References