diff -ru dnsdist-1.9.12.orig/dnsdist-nghttp2.cc dnsdist-1.9.12.CVE-2026-33594/dnsdist-nghttp2.cc
--- dnsdist-1.9.12.orig/dnsdist-nghttp2.cc	2026-03-13 16:09:16.000000000 +0100
+++ dnsdist-1.9.12.CVE-2026-33594/dnsdist-nghttp2.cc	2026-04-03 15:44:09.516182261 +0200
@@ -77,6 +77,10 @@
   }
 
 private:
+  /* how many bytes we are willing to keep in a buffer waiting for the socket to become writable
+     again, until we stop accepting new queries */
+  static constexpr size_t s_maxBufferedBytes = 65536U;
+
   static ssize_t send_callback(nghttp2_session* session, const uint8_t* data, size_t length, int flags, void* user_data);
   static int on_frame_recv_callback(nghttp2_session* session, const nghttp2_frame* frame, void* user_data);
   static int on_data_chunk_recv_callback(nghttp2_session* session, uint8_t flags, StreamID stream_id, const uint8_t* data, size_t len, void* user_data);
@@ -227,6 +231,13 @@
   if (nghttp2_session_get_remote_settings(d_session.get(), NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS) <= getConcurrentStreamsCount()) {
     return true;
   }
+
+  /* somehow we already have a lot of data queued that we have not been able to
+     write to the outgoing socket, do not accept new queries just yet */
+  if (d_out.size() >= s_maxBufferedBytes) {
+    return true;
+  }
+
   return false;
 }