{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33256", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.572Z", "datePublished": "2026-04-22T09:37:32.538Z", "dateUpdated": "2026-04-22T09:37:32.538Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:37:32.538Z"}, "title": "Unbounded memory allocation by internal web server", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["webserver"], "programFiles": ["web.rs"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "credits": [{"lang": "en", "value": "Ap4sh - Samy Medjahed and Ethicxz - Eliott Laurie Ap4sh / Ethicxz", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default."}], "id": "CVE-2026-33256", "lastModified": "2026-04-22T10:16:51.193", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-04-22T10:16:51.193", "references": [{"source": "security@open-xchange.com", "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.4.0,5.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.2.0,5.2.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Recursor", "source": "cna", "vendor": "PowerDNS"}, "product": "recursor", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-22T11:23:06.299371+00:00", "value": {"mitigation_remediation": ["Ensure the internal web server remains disabled if it is not needed. If remediation is required, disable or remove the internal web server configuration.", "Upgrade PowerDNS Recursor to the latest release when an official patch becomes available.", "Verify that no external or internal clients can access the internal web server endpoint, and restrict network access accordingly."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PowerDNS Recursor, a DNS recursive resolver. No specific version information is provided, implying that all current releases are potentially impacted until a patch is released.", "description_and_impact": "An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. This flaw allows the allocation of arbitrary amounts of memory, which can exhaust system resources and force the service to become unreachable. The weakness is governed by the \"Uncontrolled Memory Allocation\" category of software security issues.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The attack vector is likely remote, via a crafted HTTP request sent to the internal web server; however, the service is disabled by default, which mitigates immediate risk. If the internal web server has been enabled, the vulnerability could be abused by anyone who can reach that interface."}}}}, "created": "2026-04-22T11:30:15.371787+00:00", "updated": "2026-04-22T12:30:16.680860+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$recursor"]}