CVE-2026-33260
Published: 22 April 2026
Summary
CVE-2026-33260 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Recursor. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation requires applying vendor patches specifically released for this memory exhaustion vulnerability in PowerDNS products, directly preventing exploitation.
Resource availability controls enforce limits on memory allocation to counter unbounded resource exhaustion from specially crafted web requests.
Least functionality mandates disabling the unnecessary internal web server by default, eliminating the attack surface for this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables direct exploitation of an application vulnerability (unbounded memory allocation via crafted request to internal web server) to trigger service DoS, matching T1499.004 Application or System Exploitation.
NVD Description
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Deeper analysisAI
CVE-2026-33260 is a vulnerability in the internal web server of PowerDNS products, including PowerDNS Authoritative, PowerDNS Recursor, and dnsdist. It enables an attacker to send a specially crafted web request that triggers unlimited memory allocation, leading to denial of service via memory exhaustion. The internal web server is disabled by default, and the issue is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
The vulnerability can be exploited by any unauthenticated remote attacker with network access to the internal web server, requiring low attack complexity and no user interaction. Successful exploitation results in low-impact availability disruption through resource exhaustion, potentially causing the service to become unresponsive.
Security advisories published by PowerDNS detail mitigations and patches for the affected components: https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html for Authoritative, https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for Recursor, and https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html for dnsdist. Practitioners should review these for version-specific updates and apply patches promptly, while ensuring the internal web server remains disabled unless required.
Details
- CWE(s)