Description
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. This flaw allows the allocation of arbitrary amounts of memory, which can exhaust system resources and force the service to become unreachable. The weakness is governed by the "Uncontrolled Memory Allocation" category of software security issues.

Affected Systems

The vulnerability affects the PowerDNS Recursor, a DNS recursive resolver. Version 5.4.0 is specifically listed as affected by the advisory. No other releases are mentioned as impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score of < 1% indicates a very low probability of exploitation, and the issue is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The attack vector is likely remote, via a crafted HTTP request sent to the internal web server; however, the service is disabled by default, which mitigates immediate risk. If the internal web server has been enabled, the vulnerability could be abused by anyone who can reach that interface.

Generated by OpenCVE AI on April 29, 2026 at 00:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Ensure the internal web server remains disabled if it is not needed. If remediation is required, disable or remove the internal web server configuration.
  • Upgrade PowerDNS Recursor to the latest release when an official patch becomes available.
  • Verify that no external or internal clients can access the internal web server endpoint, and restrict network access accordingly.

Generated by OpenCVE AI on April 29, 2026 at 00:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
cpe:2.3:a:powerdns:recursor:5.4.0:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Title Unbounded memory allocation by internal web server
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:10:36.938Z

Reserved: 2026-03-18T10:06:16.572Z

Link: CVE-2026-33256

cve-icon Vulnrichment

Updated: 2026-04-22T18:00:39.099Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T10:16:51.193

Modified: 2026-04-27T17:04:04.123

Link: CVE-2026-33256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses