CVE-2026-42004
LowCVSS 3.7Summary
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
Risk Assessment
The risk is that an attacker can bypass DNSdist filtering rules and pass unwanted EDNS options to the backend, potentially leading to unauthorized data processing or attacks on the DNS server.
Recommendation
It is recommended to immediately update DNSdist to the latest version that includes a fix for this vulnerability, and verify the configuration of EDNS filtering rules.
Original NVD description (English source)
An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.

