CVE-2026-40211

Publié : 25 juin 2026

Modifié : 25 juin 2026

Score CVSS

5.3

MEDIUM

Description détaillée

An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Références et Patchs

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html

Dernières Vulnérabilités

CVE-2026-57619

Contributor Sensitive Data Exposure in Elementor Website Builder <= 4.1.3 versions.

VOIR DÉTAILS

CVE-2026-57429

Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.

VOIR DÉTAILS

CVE-2026-56122

Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traverse outside the webroot directory using traversal-prefixed paths in a single HTTP request to read any file accessible to the servlet engine process, including sensitive system files when the service runs with elevated privileges.

VOIR DÉTAILS