CVE-2026-33593
Published: 22 April 2026
Summary
CVE-2026-33593 is a high-severity Divide By Zero (CWE-369) vulnerability in Powerdns Dnsdist. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the divide-by-zero vulnerability in dnsdist by applying available patches to prevent crashes from crafted DNSCrypt queries.
SI-11 mandates secure error handling to ensure divide-by-zero errors in DNSCrypt query processing do not lead to process crashes.
SI-10 enforces input validation for DNSCrypt queries, preventing crafted inputs from triggering the divide-by-zero error in dnsdist.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The divide-by-zero vulnerability in dnsdist allows remote unauthenticated attackers to crash the process via crafted DNSCrypt queries, directly enabling Endpoint Denial of Service through Application or System Exploitation.
NVD Description
A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
Deeper analysisAI
CVE-2026-33593 is a divide-by-zero vulnerability (CWE-369) in dnsdist, a DNS load balancer from PowerDNS. It affects the handling of DNSCrypt queries, where a client can send a crafted query that triggers the error, leading to a crash of the dnsdist process. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact denial of service due to network accessibility and lack of required privileges.
Any remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted DNSCrypt query to a vulnerable dnsdist instance. Successful exploitation results in a process crash, causing a denial-of-service condition that disrupts DNS resolution services until the process is restarted. There is no impact on confidentiality or integrity, but the ease of exploitation makes it suitable for targeted or opportunistic attacks against exposed DNS infrastructure.
The PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html provides details on mitigation, including available patches for affected dnsdist versions. Security practitioners should consult the advisory for upgrade instructions and verify their deployments.
Details
- CWE(s)