CVE-2026-24028 is a vulnerability identified in PowerDNS DNSdist, a DNS load balancer and firewall product, specifically affecting versions 1.9.0 and 2.0.0. The issue arises from an out-of-bounds read triggered by specially crafted DNS response packets when custom Lua scripts utilize the newDNSPacketOverlay API to parse DNS packets. This API is designed to facilitate packet inspection and manipulation within DNSdist. The crafted packet causes the Lua code to read memory beyond the intended buffer boundaries, leading to two primary impacts: a crash of the DNSdist process (denial of service) or potential disclosure of unrelated memory contents, which could leak sensitive information. The vulnerability is exploitable remotely without any authentication or user interaction, as it only requires sending a malicious DNS response to the vulnerable DNSdist instance. The CVSS 3.1 base score is 5.3, reflecting a medium severity primarily due to the lack of confidentiality or integrity impact and the requirement for a crafted response packet. No public exploits or active exploitation have been reported as of the publication date. The vulnerability highlights risks in custom Lua scripting environments within DNS infrastructure, emphasizing the need for careful input validation and memory safety when parsing network data.

The primary impact of CVE-2026-24028 is the potential for denial of service through DNSdist crashes, which can disrupt DNS resolution services relying on DNSdist as a load balancer or firewall. This disruption can affect availability of critical network services and applications dependent on DNS. Additionally, the out-of-bounds read may lead to information disclosure by exposing unrelated memory contents, which could include sensitive data such as cryptographic keys, configuration details, or user data, depending on the memory layout. Although the confidentiality impact is not confirmed, the possibility of leakage poses a risk to organizations handling sensitive DNS traffic. Since DNSdist is often deployed in front-line DNS infrastructure, exploitation could affect large-scale DNS operations, impacting enterprises, ISPs, and cloud providers. The vulnerability does not require authentication or user interaction, increasing the risk of remote exploitation by attackers who can send crafted DNS responses. However, the need for custom Lua code usage of newDNSPacketOverlay somewhat limits the attack surface to environments leveraging this feature.

To mitigate CVE-2026-24028, organizations should first apply any available patches or updates from PowerDNS addressing this vulnerability once released. Until patches are available, administrators should review and restrict the use of custom Lua scripts that utilize newDNSPacketOverlay, especially those parsing untrusted DNS responses. Network-level controls should be implemented to limit exposure to untrusted or potentially malicious DNS traffic, such as filtering DNS responses from unknown or suspicious sources. Deploying DNSdist behind trusted DNS resolvers or within controlled network segments can reduce risk. Monitoring DNSdist logs for crashes or unusual behavior can help detect exploitation attempts. Additionally, consider disabling or limiting Lua scripting capabilities if not essential, or applying strict input validation within Lua scripts to prevent out-of-bounds reads. Regular security assessments and code reviews of custom Lua scripts are recommended to identify and remediate unsafe parsing logic.