CVE-2026-33257
Published: 22 April 2026
Summary
CVE-2026-33257 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Recursor. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-5 (Denial-of-service Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the memory exhaustion flaw by applying vendor patches as specified in PowerDNS advisories.
Implements denial-of-service protections such as rate limiting and throttling to block crafted web requests causing unlimited memory allocation.
Enforces least functionality by disabling the internal web server unless required, minimizing exposure to the unauthenticated DoS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a memory allocation flaw in the PowerDNS internal web server, directly causing application/system resource exhaustion and denial of service without flooding.
NVD Description
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Deeper analysisAI
CVE-2026-33257 is a denial-of-service vulnerability in the internal web servers of multiple PowerDNS products, including PowerDNS Authoritative, PowerDNS Recursor, and dnsdist. It stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where an attacker can send a specially crafted web request that triggers unlimited memory allocation, exhausting system resources. The internal web server, which exposes a management interface, is disabled by default, limiting exposure unless explicitly enabled. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low availability impact.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a malicious web request to the enabled internal web server, the attacker causes progressive memory exhaustion, potentially leading to service degradation or complete denial of service on the affected DNS server. No confidentiality or integrity impacts are possible, and exploitation requires the web server to be active.
PowerDNS has published targeted security advisories addressing this issue: PowerDNS Advisory 2026-05 for Authoritative, PowerDNS Advisory 2026-03 for Recursor, and PowerDNS Advisory 2026-04 for dnsdist, available at the respective documentation sites. Practitioners should consult these for patching instructions, configuration guidance to disable the web server where unnecessary, and any workarounds.
Details
- CWE(s)