CVE-2026-33610
Published: 22 April 2026
Summary
CVE-2026-33610 is a medium-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Powerdns Authoritative. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely flaw remediation through patching the specific PowerDNS vulnerability causing file descriptor exhaustion from rogue primary DNS update forwarding.
Directly protects against denial-of-service events like file descriptor exhaustion triggered by untrusted DNS update requests from rogue primaries.
Ensures protection of critical resources such as file descriptors from uncontrolled consumption during DNS update forwarding to rogue primaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables exploitation of the PowerDNS secondary server to cause file descriptor exhaustion and denial of service, matching T1499.004 Application or System Exploitation.
NVD Description
A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.
Deeper analysisAI
CVE-2026-33610 is a vulnerability in PowerDNS secondary servers that enables a rogue primary server to cause file descriptor exhaustion, resulting in a denial of service. The issue occurs when the secondary server forwards a DNS update request to the rogue primary, leading to uncontrolled resource consumption (CWE-400). It carries a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-04-22T14:16:54.887.
Attackers who control a rogue primary server can exploit this if a targeted PowerDNS secondary server is configured to trust and forward DNS update requests to it. No privileges, user interaction, or scope changes are required, though the attack demands high complexity to establish the rogue primary relationship. Successful exploitation exhausts file descriptors on the secondary, causing a denial of service with no impact on confidentiality or integrity.
The official PowerDNS security advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html outlines mitigations, which security practitioners should review for patching instructions and configuration guidance to restrict DNS update forwarding and prevent resource exhaustion from untrusted primaries.
Details
- CWE(s)