Skip to main content

dnsdist CVE-2026-33597

| EUVDEUVD-2026-24937 LOW
Improper Encoding or Escaping of Output (CWE-116)
2026-04-22 security@open-xchange.com GHSA-7mxf-3gj9-r25x
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 18:51 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24937
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
LOW 3.7

DescriptionCVE.org

PRSD detection denial of service

AnalysisAI

Denial of service in dnsdist via crafted PRSD (PowerDNS Response Detection) queries causes assertion failure and service disruption on remote DNS resolvers. The vulnerability requires specific network conditions and crafted packet construction (AC:H) but affects default configurations without authentication. CVSS 3.7 reflects low availability impact with non-trivial exploitation complexity.

Technical ContextAI

dnsdist is a DNS load balancer and traffic distributor from PowerDNS. PRSD (PowerDNS Response Detection) is a DNS protocol extension used for advanced traffic analysis and filtering. The vulnerability exists in dnsdist's PRSD packet handling logic, where malformed or specially crafted PRSD queries trigger an assertion failure in the detection engine rather than graceful error handling. This likely involves improper bounds checking or type validation in the PRSD parser when processing the detection data structure.

RemediationAI

Consult the official PowerDNS dnsdist security advisory at https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html for the specific patched version number and upgrade instructions. Pending patch availability, operators can mitigate by disabling PRSD detection if not required for operations (via dnsdist configuration), implementing rate limiting on DNS queries to reduce the window for crafted packet delivery, or restricting PRSD-based traffic to trusted upstream resolvers. Note that disabling PRSD detection may impact traffic analysis and load balancing features that depend on response detection.

CVE-2017-7557 HIGH
8.8 Aug 22

dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechanism for REST API potentially allowing CSRF attack.

CVE-2026-24029 MEDIUM
6.5 Mar 31

PowerDNS dnsdist allows unauthenticated DNS over HTTPS (DoH) queries to bypass access control lists when the early_acl_d

CVE-2026-27853 MEDIUM
5.9 Mar 31

DNSdist fails to validate packet size bounds when rewriting DNS questions or responses via Lua methods (DNSQuestion:chan

CVE-2018-14663 MEDIUM
5.9 Nov 26

An issue has been found in PowerDNS DNSDist before 1.3.3 allowing a remote attacker to craft a DNS query with trailing d

CVE-2026-24030 MEDIUM
5.3 Mar 31

Memory exhaustion in DNSdist allows remote, unauthenticated attackers to trigger denial of service by crafting malicious

CVE-2026-24028 MEDIUM
5.3 Mar 31

Out-of-bounds read in PowerDNS dnsdist allows unauthenticated remote attackers to trigger denial of service or potential

CVE-2026-27854 MEDIUM
4.8 Mar 31

DNSdist instances using custom Lua code can be crashed via denial of service when the DNSQuestion:getEDNSOptions method

CVE-2026-33599 LOW
3.1 Apr 22

dnsdist's Discovery of Designated Resolvers (DDR) upgrade mechanism allows a rogue backend to send a crafted SVCB respon

CVE-2026-33596 LOW
3.1 Apr 22

dnsdist can experience a denial-of-service condition through query-response mismatching when a client sends precisely ti

CVE-2026-0396 LOW
3.1 Mar 31

HTML injection in DNSdist internal web dashboard allows remote unauthenticated attackers to inject malicious content via

Share

CVE-2026-33597 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy