{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33254", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.572Z", "datePublished": "2026-04-22T13:45:07.069Z", "dateUpdated": "2026-04-22T14:51:51.130Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T13:45:07.069Z"}, "title": "Resource exhaustion via DoQ/DoH3 connections", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "DNSdist", "collectionURL": "https://repo.powerdns.com/", "packageName": "dnsdist", "repo": "https://github.com/PowerDNS/pdns", "modules": ["DNS over QUIC", "DNS over HTTP3"], "programFiles": ["doh3.cc", "doq.cc"], "versions": [{"status": "affected", "version": "1.9.0", "lessThan": "1.9.13", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.</p>"}]}], "references": [{"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "credits": [{"lang": "en", "value": "Salvor Labs - https://salvor.fr", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:51:24.341357Z", "id": "CVE-2026-33254", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:51:51.130Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:51:24.341357Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:50:08.743Z"}}], "cna": {"title": "Resource exhaustion via DoQ/DoH3 connections", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Salvor Labs - https://salvor.fr"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "modules": ["DNS over QUIC", "DNS over HTTP3"], "product": "DNSdist", "versions": [{"status": "affected", "version": "1.9.0", "lessThan": "1.9.13", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "packageName": "dnsdist", "programFiles": ["doh3.cc", "doq.cc"], "collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected"}], "datePublic": "2026-04-21T22:00:00.000Z", "references": [{"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.", "supportingMedia": [{"type": "text/html", "value": "<p>An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T13:45:07.069Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33254", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:51:51.130Z", "dateReserved": "2026-03-18T10:06:16.572Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-04-22T13:45:07.069Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCC2DF11-EC5C-4112-90F2-C266CB65D390", "versionEndExcluding": "1.9.13", "versionStartIncluding": "1.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*", "matchCriteriaId": "29865EC6-C1A0-40F3-B0BB-7F71F9C1DCB7", "versionEndExcluding": "2.0.4", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default."}], "id": "CVE-2026-33254", "lastModified": "2026-04-27T16:58:36.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:53.520", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory"], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.9.0,1.9.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "DNSdist", "source": "cna", "vendor": "PowerDNS"}, "product": "dnsdist", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-22T19:21:01.226696+00:00", "value": {"mitigation_remediation": ["Upgrade DNSdist to the latest version as announced in the vendor advisory", "Configure DNSdist to disable DoQ and DoH3 permanently if they are not required", "Implement network-level limits or firewall rules to restrict the number of simultaneous connections to DNSdist"], "summary": {"action": "Apply Patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "The flaw affects DNSdist, the open\u2011source load\u2011balancing front\u2011end for PowerDNS. Any installation that has DoQ or DoH3 enabled is susceptible; the advisory notes that these protocols are disabled by default.", "description_and_impact": "An attacker can open a high volume of concurrent DoQ or DoH3 connections to a DNSdist instance. Because DoQ and DoH3 allow unlimited memory allocation per connection, the service can exhaust its available memory and become unresponsive. The vulnerability is classified as CWE-770, indicating a resource\u2011exhaustion weakness that leads to denial of service.", "risk_and_exploitability": "The CVSS score of 5.3 places the issue in the medium severity range. EPSS is currently unavailable and the flaw is not listed in the CISA KEV catalog. Because DoQ and DoH3 are off by default, successful exploitation requires the attacker to either enable them or convince the operator to do so. If enabled, the path of attack is to generate a large number of simultaneous connections, which will drain the server\u2019s memory and cause a denial of service."}}}}, "created": "2026-04-22T19:15:24.275187+00:00", "updated": "2026-04-22T19:30:24.746779+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$dnsdist"]}