Cyber Resilience

CVE-2026-33595

Medium

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0001 0.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33595 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-33595 is a vulnerability in the dnsdist software that enables excessive memory allocation. A client can trigger this issue by generating a large number of error responses over a single DoQ (DNS over QUIC) or DoH3 (DNS over HTTP/3) connection, as certain resources are not properly released until the connection terminates. The flaw corresponds to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating moderate impact primarily on availability.

An unauthenticated attacker with network access to a vulnerable dnsdist instance can exploit this remotely with low complexity and no user interaction required. By crafting queries that provoke repeated error responses on a persistent DoQ or DoH3 connection, the attacker causes gradual memory buildup without timely resource cleanup, potentially leading to denial-of-service through server resource exhaustion.

The PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html details mitigation steps, including available patches for affected dnsdist versions. Security practitioners should consult this advisory for version-specific guidance and apply updates promptly to prevent exploitation.

EU & UK References

Vulnerability details

A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability enables remote exploitation of a resource management flaw (CWE-770) in dnsdist to cause gradual memory exhaustion and denial of service over DoQ/DoH3 connections, directly mapping to T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33599Same product: Powerdns Dnsdist
CVE-2026-27853Same product: Powerdns Dnsdist
CVE-2026-33254Same product: Powerdns Dnsdist
CVE-2026-33602Same product: Powerdns Dnsdist
CVE-2026-33594Same product: Powerdns Dnsdist
CVE-2026-33597Same product: Powerdns Dnsdist
CVE-2026-33593Same product: Powerdns Dnsdist
CVE-2026-33257Same product: Powerdns Dnsdist
CVE-2026-33260Same product: Powerdns Dnsdist
CVE-2026-27854Same product: Powerdns Dnsdist

Affected Assets

powerdns
dnsdist
1.9.0 — 1.9.13 · 2.0.0 — 2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the dnsdist flaw causing unreleased resources and memory exhaustion on persistent DoQ/DoH3 connections by applying vendor patches.

prevent

Implements denial-of-service protections like rate limiting or query throttling per connection to block excessive error responses leading to resource depletion.

prevent

Allocates defined limits to resources such as memory per connection, preventing gradual exhaustion from repeated errors without timely cleanup.

References