SB2026042356 - Multiple vulnerabilities in PowerDNS DNSdist

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042356

SB2026042356 - Multiple vulnerabilities in PowerDNS DNSdist

Published: April 23, 2026

Security Bulletin ID SB2026042356
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 64% Low 36%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33257)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in internal web server when handling crafted HTTP requests. A remote attacker can send a crafted HTTP request to cause a denial of service.

Note, the internal web server is disabled by default.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33260)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in internal web server when handling crafted HTTP requests. A remote attacker can send a crafted HTTP request to cause a denial of service.

Note. the internal web server is disabled by default.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33254)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in DoQ and DoH3 connection handling when opening a large number of connections. A remote attacker can open a large number of DoQ or DoH3 connections to cause a denial of service.

DoQ and DoH3 are disabled by default.


4) Out-of-bounds write (CVE-ID: CVE-2026-33602)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in UDP response processing when processing crafted udp responses from a backend. A remote attacker can send a crafted udp response with a query id off by one relative to the maximum configured value to cause a denial of service.

Exploitation requires a rogue backend.


5) Out-of-bounds read (CVE-ID: CVE-2026-33599)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in service discovery when processing crafted SVCB responses. A remote attacker can send a crafted SVCB response to cause a denial of service.

Exploitation requires DDR upgrade to be enabled via the autoUpgrade or auto_upgrade settings.


6) Out-of-bounds read (CVE-ID: CVE-2026-33598)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to out-of-bounds read in packet cache inspection via Lua when custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a cached crafted response. A remote attacker can supply a crafted response that is cached to disclose sensitive information.

Exploitation requires custom Lua code to call getDomainListByAddress() or getAddressListByDomain() on a packet cache.


7) Input validation error (CVE-ID: CVE-2026-33597)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the PRSD detection algorithm when processing a crafted query containing an invalid DNS label. A remote attacker can send a crafted query to cause a denial of service.

Exploitation affects PRSD detection executed via DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.


8) Integer overflow (CVE-ID: CVE-2026-33596)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow in TCP backend stream id handling when processing perfectly timed queries routed to a TCP-only or DoT backend. A remote attacker can send a flood of perfectly timed queries to cause a denial of service.

Exploitation requires queries to be routed to a TCP-only or DNS over TLS backend.


9) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33595)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in DoQ and DoH3 connection handling when generating many error responses over a single connection. A remote attacker can generate many error responses over a single DoQ or DoH3 connection to cause a denial of service.

Resources are not properly released until the end of the connection.


10) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33594)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in outgoing DoH handling when routing many queries to an overloaded DoH backend. A remote attacker can generate many queries that are routed to an overloaded DoH backend to cause a denial of service.

Queries accumulate in a buffer that is not released until the end of the connection.


11) Division by zero (CVE-ID: CVE-2026-33593)

CWE-ID: CWE-369 - Divide By Zero

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to divide-by-zero in DNSCrypt query processing when parsing a crafted DNSCrypt query. A remote attacker can send a crafted DNSCrypt query to cause a denial of service.


Remediation

Install update from vendor's website.

References