Cyber Posture

CVE-2026-33594

Medium

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0001 1.9th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33594 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

Directly implements denial-of-service protections to prevent memory exhaustion from excessive queries accumulating in buffers on overloaded DoH backends.

SC-6 Resource Availability good match
prevent

Enforces limits on resource availability, such as memory, to stop unbounded query buffering per connection from depleting system resources.

SI-9 Information Input Restrictions good match
prevent

Restricts query inputs at network entry points by volume, rate, or size to prevent accumulation leading to excessive memory allocation.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

The vulnerability allows flooding dnsdist with queries to trigger unbounded memory allocation (CWE-770), directly enabling Application Exhaustion Flood for DoS impact on the service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.

Deeper analysisAI

CVE-2026-33594 is a vulnerability in dnsdist that enables excessive memory allocation. A client can trigger this by generating numerous queries routed to an overloaded DoH (DNS over HTTPS) backend, causing the queries to accumulate in a buffer that remains unreleased until the connection ends. This issue maps to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating a low-severity availability impact with no confidentiality or integrity effects.

An unauthenticated attacker with network access can exploit this vulnerability by flooding the dnsdist instance with queries targeted at a slow or overloaded DoH backend. The accumulation of buffered queries leads to memory exhaustion, potentially causing a denial-of-service condition that degrades or halts dnsdist's ability to process legitimate DNS traffic.

The PowerDNS security advisory provides further details on this issue, available at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html.

Details

CWE(s)
CWE-770

Affected Products

powerdns
dnsdist
1.9.0 — 1.9.13 · 2.0.0 — 2.0.4

CVEs Like This One

CVE-2026-33254Same product: Powerdns Dnsdist
CVE-2026-33595Same product: Powerdns Dnsdist
CVE-2026-33593Same product: Powerdns Dnsdist
CVE-2026-24030Same product: Powerdns Dnsdist
CVE-2026-27854Same product: Powerdns Dnsdist
CVE-2026-24028Same product: Powerdns Dnsdist
CVE-2026-33597Same product: Powerdns Dnsdist
CVE-2026-27853Same product: Powerdns Dnsdist
CVE-2026-33602Same product: Powerdns Dnsdist
CVE-2026-33598Same product: Powerdns Dnsdist

References