Cyber Resilience

CVE-2026-33256

Medium

Published: 22 April 2026

Published
22 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0000 0.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33256 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Recursor. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2026-33256 affects the internal web server in PowerDNS Recursor, where an attacker can send a web request that triggers unlimited memory allocation, leading to a denial of service. Published on 2026-04-22, the vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling). The internal web server is disabled by default, limiting exposure.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation causes memory exhaustion in the affected component, resulting in low-impact denial of service by disrupting availability without compromising confidentiality or integrity.

The PowerDNS security advisory provides details on mitigation: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html.

EU & UK References

Vulnerability details

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote exploitation of an application-layer vulnerability (unbounded memory allocation in the internal web server) that directly causes resource exhaustion and denial of service, matching the definition of T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33258Same product: Powerdns Recursor
CVE-2026-33257Same product: Powerdns Recursor
CVE-2026-33260Same product: Powerdns Recursor
CVE-2026-33595Same vendor: Powerdns
CVE-2025-59023Same product: Powerdns Recursor
CVE-2026-33599Same vendor: Powerdns
CVE-2026-27853Same vendor: Powerdns
CVE-2026-33610Same vendor: Powerdns
CVE-2026-33254Same vendor: Powerdns
CVE-2026-33602Same vendor: Powerdns

Affected Assets

powerdns
recursor
5.4.0 · 5.2.0 — 5.2.9 · 5.3.0 — 5.3.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Denial-of-service protection directly mitigates unlimited memory allocation attacks by implementing throttling and resource limits on web requests to the internal server.

prevent

Resource availability protections limit memory allocations to prevent exhaustion from malicious web requests exploiting CWE-770.

prevent

Least functionality ensures the non-essential internal web server remains disabled, eliminating the attack surface for this DoS vulnerability.

References