Skip to main content

PowerDNS EUVDEUVD-2026-24720

| CVE-2026-33257 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 security@open-xchange.com GHSA-p687-4q66-wh3p
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:03 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24720
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.3

DescriptionCVE.org

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

AnalysisAI

Unlimited memory allocation in PowerDNS internal web server allows remote denial of service via crafted web requests. The vulnerability affects multiple PowerDNS products (dnsdist, Authoritative, and Recursor) across multiple versions, though the internal web server is disabled by default, significantly limiting real-world exposure. CVSS 5.3 reflects low attack complexity and no authentication requirements, but the default-disabled state and requirement to enable the internal web server substantially reduce practical risk.

Technical ContextAI

PowerDNS comprises three main components, each with an optional internal web server for management and monitoring: dnsdist (DNS load balancer), Authoritative (authoritative DNS server), and Recursor (recursive DNS resolver). The vulnerability exists in the memory allocation logic of these internal web servers when processing HTTP requests. CWE classification is not provided, but the unbounded memory allocation pattern is consistent with CWE-770 (Allocation of Resources Without Limits or Throttling). The attack vector is network-based and requires no privileges or user interaction, indicating the web server accepts unauthenticated connections when enabled.

RemediationAI

Upgrade to patched versions immediately: dnsdist 1.9.13 or later, 2.0.4 or later; PowerDNS Authoritative 4.9.14 or later, 5.0.4 or later; PowerDNS Recursor 5.2.9 or later, 5.3.6 or later, 5.4.1 or later. If immediate upgrade is not possible, disable the internal web server by removing or commenting out the webserver configuration directive (typically 'webserver=yes' or similar) in the PowerDNS configuration file and restarting the service. This eliminates the attack surface entirely and is the strongest compensating control if the internal web server is not required for operations. If the web server must remain enabled for management purposes, restrict network access to it using firewall rules or bind it to localhost or a protected management network interface only, preventing untrusted networks from reaching it. Consult the specific PowerDNS product documentation (Authoritative, Recursor, or dnsdist) for exact configuration syntax.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-24720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy