CVE-2026-33254
Published: 22 April 2026
Summary
CVE-2026-33254 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly implements denial-of-service protections to counter connection flooding via concurrent DoQ or DoH3 connections that cause memory exhaustion in DNSdist.
Establishes resource allocation limits to prevent unbounded memory consumption triggered by large numbers of concurrent DoQ or DoH3 connections.
Enforces concurrent session or connection limits to mitigate resource exhaustion from excessive simultaneous DoQ or DoH3 connections to DNSdist.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables direct application-level resource exhaustion (memory) via flooding concurrent connections to a DNS proxy service, matching Application Exhaustion Flood.
NVD Description
An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
Deeper analysisAI
CVE-2026-33254 is a denial-of-service vulnerability in DNSdist, a DNS load balancer and proxy. An attacker can create a large number of concurrent DoQ (DNS over QUIC) or DoH3 (DNS over HTTP/3) connections, triggering unlimited memory allocation and leading to resource exhaustion. DOQ and DoH3 are disabled by default in DNSdist, limiting exposure unless explicitly enabled. The vulnerability is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and is associated with CWE-770 (Allocation of Resources Without Limits or Throttling).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By establishing numerous concurrent DoQ or DoH3 connections, the attacker causes DNSdist to allocate memory without bounds, resulting in denial of service through memory exhaustion and potential service disruption.
The PowerDNS security advisory for DNSdist, available at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html, provides details on mitigation and patches. Security practitioners should consult this advisory for specific remediation steps, such as applying updates or configuration changes to address the issue.
Details
- CWE(s)