CVE-2026-33258
Published: 22 April 2026
Summary
CVE-2026-33258 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Recursor. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against denial-of-service attacks by limiting effects of resource exhaustion from crafted DNS zones and queries causing large NSEC(3) cache allocations.
Ensures availability of critical resources like memory caches against excessive allocations triggered by aggressive negative and NSEC(3) caching in PowerDNS Recursor.
Mandates timely flaw remediation through patching the specific unbounded allocation vulnerability in PowerDNS Recursor as detailed in the security advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing DNS service (PowerDNS Recursor) directly enables remote exploitation for endpoint DoS via crafted zone/queries causing cache-based resource exhaustion.
NVD Description
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
Deeper analysisAI
CVE-2026-33258 is a vulnerability in PowerDNS Recursor that allows an attacker to publish and query a crafted DNS zone, resulting in the allocation of large entries in the negative and aggressive NSEC(3) caches. This issue, classified under CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating a moderate-severity denial-of-service risk with low availability impact.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and publishing a malicious DNS zone, followed by targeted queries, the attacker triggers excessive memory allocations in the specified caches, potentially leading to resource exhaustion and degraded service availability on affected PowerDNS Recursor instances.
The official PowerDNS security advisory, available at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html, details mitigation steps and patches for this vulnerability. Security practitioners should consult this advisory for version-specific remediation guidance.
Details
- CWE(s)