Description
A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.
Published: 2026-04-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A rogue authoritative DNS server can send specially crafted DNS update requests to a PowerDNS secondary server that forwards them, exhausting the secondary server’s file descriptors. This exhaustion stops the server from opening any additional sockets, leading to an availability loss. The issue is a classic example of an uncontrolled resource consumption flaw (CWE‑400).

Affected Systems

The vulnerability applies to PowerDNS Authoritative servers acting as DNS secondaries that forward update requests. No specific product versions are listed, so all current installations of this component should be considered at risk until a patch is applied.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS information is unavailable, so the current likelihood of exploitation is unclear, but the lack of a KEV listing suggests no known public exploits yet. The likely attack vector is a malicious primary server sending numerous update requests over an open forward‑dnsupdate channel, which an attacker could control if the primary is compromised or malicious.

Generated by OpenCVE AI on April 27, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch for PowerDNS Authoritative that fixes the forward‑dnsupdate file descriptor handling
  • Restrict which primary servers are allowed to send update requests to the secondary, for example by firewall rules or by configuring a whitelist in PowerDNS
  • Monitor the secondary server’s file descriptor count and set system limits or alerts to detect sudden exhaustion

Generated by OpenCVE AI on April 27, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6233-1 pdns security update
History

Fri, 24 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Vendors & Products Powerdns
Powerdns authoritative

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.
Title Possible file descriptor exhaustion in forward-dnsupdate
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T14:26:32.724Z

Reserved: 2026-03-23T12:58:38.267Z

Link: CVE-2026-33610

cve-icon Vulnrichment

Updated: 2026-04-22T14:25:17.230Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T14:16:54.887

Modified: 2026-04-24T18:53:08.563

Link: CVE-2026-33610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:45:11Z

Weaknesses