Cyber Posture

CVE-2026-33599

Low

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 3.1 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0001 0.5th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33599 is a low-severity Out-of-bounds Read (CWE-125) vulnerability in Powerdns Dnsdist. Its CVSS base score is 3.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires timely patching of the out-of-bounds read vulnerability in dnsdist as detailed in the PowerDNS advisory.

CM-7 Least Functionality good match
prevent

Least functionality mandates disabling unnecessary features like autoUpgrade/auto_upgrade, which are required to trigger the DDR vulnerability and are not enabled by default.

SI-10 Information Input Validation good match
prevent

Information input validation ensures crafted SVCB responses from rogue backends are checked before processing to prevent the out-of-bounds read.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Out-of-bounds read vulnerability enables adjacent attacker to trigger denial of service via crafted DDR/SVCB response when auto-upgrade enabled, mapping to application/system exploitation for endpoint DoS.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.

Deeper analysisAI

CVE-2026-33599 is an out-of-bounds read vulnerability (CWE-125) in dnsdist, the DNS load balancer from PowerDNS. It occurs when a rogue backend sends a crafted SVCB response to a Discovery of Designated Resolvers (DDR) request, specifically when the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings are enabled. The vulnerability was published on 2026-04-22 and carries a CVSS v3.1 base score of 3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

An adjacent attacker on the same network segment (AV:A) with no privileges (PR:N) can exploit this under high attack complexity (AC:H) conditions and without user interaction (UI:N). Successful exploitation results in low availability impact (A:L), such as potential denial of service, with no effects on confidentiality or integrity.

The PowerDNS security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html notes that DDR upgrade is not enabled by default, serving as a primary mitigation for unaffected configurations.

Details

CWE(s)
CWE-125

Affected Products

powerdns
dnsdist
1.9.0 — 1.9.13 · 2.0.0 — 2.0.4

CVEs Like This One

CVE-2026-33598Same product: Powerdns Dnsdist
CVE-2026-33597Same product: Powerdns Dnsdist
CVE-2026-27853Same product: Powerdns Dnsdist
CVE-2026-33602Same product: Powerdns Dnsdist
CVE-2026-33593Same product: Powerdns Dnsdist
CVE-2026-33595Same product: Powerdns Dnsdist
CVE-2026-24030Same product: Powerdns Dnsdist
CVE-2026-27854Same product: Powerdns Dnsdist
CVE-2026-33254Same product: Powerdns Dnsdist
CVE-2026-24028Same product: Powerdns Dnsdist

References