Description
An attacker can send a web request that causes unlimited memory
allocation in the internal web server, leading to a denial of service.
The internal web server is disabled by default.
Published: 2026-06-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can send crafted requests to an internal web server that causes unlimited memory allocation, resulting in a denial of service. The vulnerability stems from insufficient input validation that fails to limit the size of data processed by the server, which corresponds to CWE-400. Attackers could exploit this flaw by repeatedly requesting large payloads until the system exhausts available memory, causing it to become unresponsive. The CVSS score of 4.3 reflects a moderate severity level for a resource exhaustion flaw.

Affected Systems

The vulnerability affects the PowerDNS Authoritative server, regardless of the specific version, when the internal web server component is enabled. All installations that have not disabled this feature—or have not applied a later patch—are potentially vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score is unavailable, suggesting no documented exploitation activity to date. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, as the flaw is triggered by external web requests. An attacker only needs to target the internal web server port; the attack does not require privileged access or authentication. Because the feature is disabled by default, the risk is mitigated for most users who have not enabled the internal web server. However, any configuration that turns this component on exposes the system to potential memory exhaustion and eventual denial of service.

Generated by OpenCVE AI on June 25, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the internal web server when it is not needed
  • Configure the server to reject requests with payloads above a safe size threshold
  • Update the PowerDNS Authoritative software to the latest version when a vendor patch is released

Generated by OpenCVE AI on June 25, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6367-1 dnsdist security update
Debian DSA Debian DSA DSA-6368-1 pdns security update
Debian DSA Debian DSA DSA-6369-1 pdns-recursor security update
History

Fri, 26 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Vendors & Products Powerdns
Powerdns authoritative

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-368

Thu, 25 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Title Insufficient input validation of internal web server
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}


Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:04:12.854Z

Reserved: 2026-04-23T11:15:21.199Z

Link: CVE-2026-42005

cve-icon Vulnrichment

Updated: 2026-06-25T13:04:09.406Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:45:04Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption