Skip to main content

PowerDNS Recursor EUVDEUVD-2026-24719

| CVE-2026-33256 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 security@open-xchange.com GHSA-f4c2-g8rq-pq9h
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:04 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24719
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.3

DescriptionCVE.org

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

AnalysisAI

Denial of service via unlimited memory allocation in PowerDNS Recursor's internal web server affects versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0. An unauthenticated remote attacker can send a crafted web request to exhaust server memory when the internal web server is enabled, causing service unavailability. No public exploit code or active exploitation has been identified, but patch versions are available from the vendor.

Technical ContextAI

PowerDNS Recursor is a DNS recursive resolver that includes an optional internal web server for statistics and management queries. The vulnerability stems from improper memory management in the web server request handling, allowing an attacker to trigger unbounded memory allocation through a crafted HTTP request. The attack surface is limited because the internal web server is disabled by default, but administrators who enable it for monitoring or API access expose their infrastructure to this denial-of-service vector. The root cause likely involves insufficient bounds checking or memory limit enforcement in request processing, though specific CWE classification was not provided.

RemediationAI

Upgrade to PowerDNS Recursor 5.2.9, 5.3.6, 5.4.1, or later, depending on your current version branch. Full patch details and upgrade instructions are available in the vendor security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html. If immediate patching is not possible, disable the internal web server by setting webserver=no and api=no in the Recursor configuration file (typically /etc/powerdns/recursor.conf), then restart the service. This mitigation eliminates the attack surface entirely but removes access to the web-based statistics interface and REST API; assess operational impact before applying. Network-level mitigation via firewall rules blocking access to the web server port (default 8082) provides partial protection but is not a substitute for patching, as the vulnerability allows exploitation from any network-accessible attacker.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy