Skip to main content

PowerDNS EUVDEUVD-2026-24725

| CVE-2026-33260 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 security@open-xchange.com GHSA-r7mf-2mhr-jhvp
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:03 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:10 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24725
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.3

DescriptionCVE.org

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

AnalysisAI

Denial of service in PowerDNS Authoritative, Recursor, and dnsdist via unbounded memory allocation in their internal web servers when processing specially crafted web requests. Multiple product lines are affected across several version ranges. The internal web server is disabled by default, significantly limiting real-world exposure. A vendor-released patch is available. CVSS 5.3 (low severity) with network-accessible vector but no authentication required reflects the ease of exploitation offset by the availability limitation and DoS-only impact.

Technical ContextAI

The vulnerability resides in the internal web server components embedded in PowerDNS products (Authoritative, Recursor, and dnsdist). When enabled, this web server processes incoming HTTP requests without proper bounds checking on memory allocation. A maliciously crafted web request can trigger unbounded or excessive memory allocation, exhausting system memory and causing the affected process to become unresponsive or crash. The CWE is not explicitly provided, but this maps to CWE-400 (Uncontrolled Resource Consumption) or CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability affects multiple product lines with overlapping but distinct version ranges, suggesting a shared code path or dependency underlying the internal web server implementation across PowerDNS variants.

RemediationAI

Upgrade to a patched version: PowerDNS Authoritative to 4.9.14 or 5.0.4 or later; Recursor to 5.2.9, 5.3.6, 5.4.1, or later as applicable; dnsdist to 1.9.13 or 2.0.4 or later. Patch releases are available directly from the PowerDNS project. If immediate patching is not feasible, disable the internal web server unless explicitly required for monitoring or API functions by commenting out or removing webserver configuration directives (typically 'webserver=yes' or 'api=yes') and restarting the affected service. If the web server must remain enabled, restrict access to the web server listening address and port (typically localhost:8081 or similar) using firewall rules or network segmentation to prevent remote access. Review your PowerDNS configuration to confirm the default state (web server disabled) and audit any intentional enablement for operational necessity. Apply patches during a maintenance window, as restarting the service is required.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

EUVD-2026-24725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy