Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
AnalysisAI
Denial of service via unlimited memory allocation in PowerDNS Recursor's internal web server affects versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0. An unauthenticated remote attacker can send a crafted web request to exhaust server memory when the internal web server is enabled, causing service unavailability. No public exploit code or active exploitation has been identified, but patch versions are available from the vendor.
Technical ContextAI
PowerDNS Recursor is a DNS recursive resolver that includes an optional internal web server for statistics and management queries. The vulnerability stems from improper memory management in the web server request handling, allowing an attacker to trigger unbounded memory allocation through a crafted HTTP request. The attack surface is limited because the internal web server is disabled by default, but administrators who enable it for monitoring or API access expose their infrastructure to this denial-of-service vector. The root cause likely involves insufficient bounds checking or memory limit enforcement in request processing, though specific CWE classification was not provided.
RemediationAI
Upgrade to PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1, or later, depending on your current version branch. Full patch details and upgrade instructions are available in the vendor security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html. If immediate patching is not possible, disable the internal web server by setting webserver=no and api=no in the Recursor configuration file (typically /etc/powerdns/recursor.conf), then restart the service. This mitigation eliminates the attack surface entirely but removes access to the web-based statistics interface and REST API; assess operational impact before applying. Network-level mitigation via firewall rules blocking access to the web server port (default 8082) provides partial protection but is not a substitute for patching, as the vulnerability allows exploitation from any network-accessible attacker.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24719
GHSA-f4c2-g8rq-pq9h