SUSE-SU-2026:1618-1

CVE-2026-0396: crafted DNS queries triggering domain-based dynamic rules can lead to HTML injection in the web dashboard (bsc#1261236).
CVE-2026-0397: misconfiguration of the CORS policy can lead to information disclosure (bsc#1261237).
CVE-2026-24028: crafted DNS packet parsed by Lua code using newDNSPacketOverlay can lead to an out-of-bounds read (bsc#1261238).
CVE-2026-24029: disabled option on a DNS over HTTPS nghttp2 frontend allows clients to bypass ACLs and send DoH queries (bsc#1261239).
CVE-2026-24030: crafted DoQ and DoH3 queries can lead to unbounded memory allocation and DoS (bsc#1261240).
CVE-2026-27853: crafted DNS responses sent to a DNSdist using certain methods in custom Lua code (changeName) can lead to an out-of-bounds write (bsc#1261243).
CVE-2026-27854: crafted DNS queries sent to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code can lead to a use-after-free (bsc#1261241).

References

Affected packages

Name: dnsdist
Purl: pkg:rpm/suse/dnsdist&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.12-150700.3.9.1

{
    "binaries": [
        {
            "dnsdist": "1.9.12-150700.3.9.1"
        }
    ]
}

source

"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1618-1.json"