CVE-2026-33597

Low

Published: 22 April 2026

Published

22 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score 0.0002 3.5th percentile

Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33597 is a low-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Powerdns Dnsdist. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the specific flaw in dnsdist's PRSD detection mechanism that enables the denial-of-service vulnerability.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections to prevent the low-impact availability disruption from remote exploitation over the network.

SI-10 Information Input Validation partial match

prevent

Validates information inputs to DNS traffic processed by dnsdist, addressing improper encoding or escaping that triggers the PRSD detection DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The CVE describes a remotely exploitable denial of service vulnerability in the dnsdist application, directly enabling T1499.004 (Application or System Exploitation) to impact availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PRSD detection denial of service

Deeper analysisAI

CVE-2026-33597 is a denial of service vulnerability in the PRSD detection mechanism of dnsdist, a DNS load balancer and resolver from PowerDNS. Published on 2026-04-22, it carries a CVSS v3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) and maps to CWE-116 (Improper Encoding or Escaping of Output).

The vulnerability enables remote exploitation over the network by unauthenticated attackers requiring no privileges or user interaction, though high attack complexity is necessary. Successful attacks achieve a low-impact denial of service, limiting availability without compromising confidentiality or integrity.

Mitigation details are outlined in the PowerDNS security advisory for dnsdist available at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html.

Details

CWE(s): CWE-116

Affected Products

powerdns

dnsdist

1.9.0 — 1.9.13 · 2.0.0 — 2.0.4

CVEs Like This One

CVE-2026-33593Same product: Powerdns Dnsdist

CVE-2026-33602Same product: Powerdns Dnsdist

CVE-2026-33595Same product: Powerdns Dnsdist

CVE-2026-33599Same product: Powerdns Dnsdist

CVE-2026-27853Same product: Powerdns Dnsdist

CVE-2026-27854Same product: Powerdns Dnsdist

CVE-2026-33598Same product: Powerdns Dnsdist

CVE-2026-24030Same product: Powerdns Dnsdist

CVE-2026-33254Same product: Powerdns Dnsdist

CVE-2026-24028Same product: Powerdns Dnsdist

References

https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html
Vendor Advisory · security@open-xchange.com