CVE-2026-33595
Published: 22 April 2026
Summary
CVE-2026-33595 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Powerdns Dnsdist. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 1.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the dnsdist flaw causing unreleased resources and memory exhaustion on persistent DoQ/DoH3 connections by applying vendor patches.
Implements denial-of-service protections like rate limiting or query throttling per connection to block excessive error responses leading to resource depletion.
Allocates defined limits to resources such as memory per connection, preventing gradual exhaustion from repeated errors without timely cleanup.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a resource management flaw (CWE-770) in dnsdist to cause gradual memory exhaustion and denial of service over DoQ/DoH3 connections, directly mapping to T1499.004 Application or System Exploitation.
NVD Description
A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.
Deeper analysisAI
CVE-2026-33595 is a vulnerability in the dnsdist software that enables excessive memory allocation. A client can trigger this issue by generating a large number of error responses over a single DoQ (DNS over QUIC) or DoH3 (DNS over HTTP/3) connection, as certain resources are not properly released until the connection terminates. The flaw corresponds to CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating moderate impact primarily on availability.
An unauthenticated attacker with network access to a vulnerable dnsdist instance can exploit this remotely with low complexity and no user interaction required. By crafting queries that provoke repeated error responses on a persistent DoQ or DoH3 connection, the attacker causes gradual memory buildup without timely resource cleanup, potentially leading to denial-of-service through server resource exhaustion.
The PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html details mitigation steps, including available patches for affected dnsdist versions. Security practitioners should consult this advisory for version-specific guidance and apply updates promptly to prevent exploitation.
Details
- CWE(s)