Alpine: multiple dnsdist packages: security update to 2.0.4-r0

critical Tenable Self-Hosted Container Security Plugin ID 440772

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A cached crafted response can cause an out-of-bounds read if custom Lua code calls
getDomainListByAddress() or getAddressListByDomain() on a packet cache. (CVE-2026-33598)

- An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS
queries to a DNSdist instance where domain-based dynamic rules have been enabled via either
DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. (CVE-2026-0396)

- When the internal webserver is enabled (default is disabled), an attacker might be able to trick an
administrator logged to the dashboard into visiting a malicious website and extract information about the
running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-
Origin Resource Sharing (CORS) policy. (CVE-2026-0397)

- An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when
custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a
crash, leading to a denial of service, or access unrelated memory, leading to potential information
disclosure. (CVE-2026-24028)

- When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs
frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries
regardless of the configured ACL. (CVE-2026-24029)

Solution

Update the dnsdist library and its related packages to version 2.0.4-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-0396

https://security.alpinelinux.org/vuln/CVE-2026-0397

https://security.alpinelinux.org/vuln/CVE-2026-24028

https://security.alpinelinux.org/vuln/CVE-2026-24029

https://security.alpinelinux.org/vuln/CVE-2026-24030

https://security.alpinelinux.org/vuln/CVE-2026-27853

https://security.alpinelinux.org/vuln/CVE-2026-27854

https://security.alpinelinux.org/vuln/CVE-2026-33254

https://security.alpinelinux.org/vuln/CVE-2026-33257

https://security.alpinelinux.org/vuln/CVE-2026-33260

https://security.alpinelinux.org/vuln/CVE-2026-33593

https://security.alpinelinux.org/vuln/CVE-2026-33594

https://security.alpinelinux.org/vuln/CVE-2026-33595

https://security.alpinelinux.org/vuln/CVE-2026-33596

https://security.alpinelinux.org/vuln/CVE-2026-33597

https://security.alpinelinux.org/vuln/CVE-2026-33598

https://security.alpinelinux.org/vuln/CVE-2026-33599

https://security.alpinelinux.org/vuln/CVE-2026-33602

Plugin Details

Severity: Critical

ID: 440772

Version: Revision 1.7

Type: Local

Published: 4/23/2026

Updated: 6/3/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.6

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2026-33598

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 3/31/2026

Reference Information

CVE: CVE-2026-0396, CVE-2026-0397, CVE-2026-24028, CVE-2026-24029, CVE-2026-24030, CVE-2026-27853, CVE-2026-27854, CVE-2026-33254, CVE-2026-33257, CVE-2026-33260, CVE-2026-33593, CVE-2026-33594, CVE-2026-33595, CVE-2026-33596, CVE-2026-33597, CVE-2026-33598, CVE-2026-33599, CVE-2026-33602