The vulnerability is caused by insufficient input validation in PowerDNS’ internal web server, allowing an attacker to send a crafted request that triggers unlimited memory allocation. This can exhaust system memory and render the web server or associated process unresponsive, resulting in a denial of service. The weakness is a form of uncontrolled resource consumption and improper input validation, affecting the availability of the DNS service while leaving confidentiality and integrity unchanged.

The affected products are PowerDNS Authoritative, PowerDNS DNSdist, and PowerDNS Recursor. No specific version information is provided, so all released kernels of these products are potentially impacted until a vendor patch is applied. The internal web server, which is disabled by default, must be enabled for this flaw to be exploitable.

The CVSS score of 5.3 indicates moderate severity. EPSS data is unavailable, so we cannot quantify exploitation likelihood. The description indicates an attacker can send a crafted HTTP request to the internal web server to trigger unlimited memory allocation. Authentication requirements are not explicitly stated, so we infer that the request may not need authentication, but this cannot be confirmed. The attack likely requires network access to the internal web server, which is typically restricted to administrators. Therefore, the overall risk remains moderate, affecting primarily availability when the internal web server is enabled.