Skip to main content

PowerDNS Authoritative EUVDEUVD-2026-24949

| CVE-2026-33610 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-04-22 security@open-xchange.com GHSA-7rv6-r2fm-295c
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 24, 2026 - 18:53 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Analysis Generated
Apr 22, 2026 - 15:02 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24949
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
MEDIUM 5.9

DescriptionCVE.org

A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.

AnalysisAI

Denial of service in PowerDNS secondary servers occurs when a rogue primary server sends crafted DNS update requests that cause file descriptor exhaustion on the secondary, eventually rendering the secondary unable to process legitimate DNS queries. The attack requires network-level coordination between a compromised or attacker-controlled primary server and a target secondary server, with moderate attack complexity due to the need to establish a primary-secondary relationship. No active exploitation has been confirmed in CISA KEV at time of analysis.

Technical ContextAI

PowerDNS Authoritative runs DNS secondary servers that replicate zone data from primary servers via zone transfers and DNS update mechanisms (NOTIFY/AXFR). When a secondary processes a DNS update request (typically via NOTIFY protocol or DNS UPDATE messages), it may allocate file descriptors to handle the incoming data. A rogue primary can send malformed or excessive update requests that fail to properly release file descriptors, leading to resource exhaustion. This is a resource-starvation attack that exploits the secondary's trust relationship with its configured primary server, targeting the DNS update ingestion code path.

RemediationAI

Consult the PowerDNS advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html for the patched version and apply the vendor-released fix immediately to all secondary servers. In the interim, limit zone transfer relationships and DNS update sources to primary servers on trusted networks; restrict secondary servers' network access to primary servers to only necessary IP addresses and ports using firewall rules; monitor file descriptor usage on secondary servers using system tools (lsof, netstat) to detect exhaustion patterns; and implement rate limiting on NOTIFY/UPDATE message processing at the network perimeter if the DNS infrastructure allows. These compensating controls reduce attack surface but do not eliminate the vulnerability - patching is the authoritative remediation.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy