{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33596", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-23T12:57:56.814Z", "datePublished": "2026-04-22T13:47:10.454Z", "dateUpdated": "2026-04-22T14:43:54.294Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T13:47:10.454Z"}, "title": "TCP backend stream ID overflow", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Integer Overflow or Wraparound", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "DNSdist", "collectionURL": "https://repo.powerdns.com/", "packageName": "dnsdist", "repo": "https://github.com/PowerDNS/pdns", "modules": ["Outgoing DNS over TCP"], "programFiles": ["dnsdist-tcp-downstream.hh"], "versions": [{"status": "affected", "version": "1.9.0", "lessThan": "1.9.13", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.</p>"}]}], "references": [{"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW", "baseSeverity": "LOW", "baseScore": 3.1, "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "credits": [{"lang": "en", "value": "ylwango613", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-190", "lang": "en", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:43:12.207234Z", "id": "CVE-2026-33596", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:43:54.294Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33596", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:43:12.207234Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:42:18.441Z"}}], "cna": {"title": "TCP backend stream ID overflow", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "ylwango613"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "modules": ["Outgoing DNS over TCP"], "product": "DNSdist", "versions": [{"status": "affected", "version": "1.9.0", "lessThan": "1.9.13", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.0.4", "versionType": "semver"}], "packageName": "dnsdist", "programFiles": ["dnsdist-tcp-downstream.hh"], "collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected"}], "datePublic": "2026-04-21T22:00:00.000Z", "references": [{"url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.", "supportingMedia": [{"type": "text/html", "value": "<p>A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T13:47:10.454Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33596", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:43:54.294Z", "dateReserved": "2026-03-23T12:57:56.814Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-04-22T13:47:10.454Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCC2DF11-EC5C-4112-90F2-C266CB65D390", "versionEndExcluding": "1.9.13", "versionStartIncluding": "1.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*", "matchCriteriaId": "29865EC6-C1A0-40F3-B0BB-7F71F9C1DCB7", "versionEndExcluding": "2.0.4", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend."}], "id": "CVE-2026-33596", "lastModified": "2026-04-24T18:50:36.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-22T14:16:54.073", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory"], "url": "https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.9.0,1.9.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.0.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "DNSdist", "source": "cna", "vendor": "PowerDNS"}, "product": "dnsdist", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-27T19:16:59.679595+00:00", "value": {"mitigation_remediation": ["Adjust firewall or load\u2011balancing rules to rate\u2011limit traffic entering DNSdist from untrusted sources.", "Upgrade to a DNSdist release that incorporates the described fix, as noted in the official PowerDNS advisory.", "Configure DNSdist to use UDP or other tolerant back\u2011end protocols where feasible to avoid TCP\u2011only or TLS bottlenecks.", "Continuously monitor DNS request patterns for abrupt increases or timing anomalies to detect attempted probe traffic."], "summary": {"action": "Monitor", "impact": "Query Mismatch"}, "threat_synthesis": {"affected_systems": "The product affected is PowerDNS DNSdist, a DNS load\u2011balancer and forwarder. No specific version range is listed in the advisory, so all installations of DNSdist remain potentially vulnerable until patched.", "description_and_impact": "A flood of perfectly timed queries can force DNSdist to misalign the identifiers used for TCP or DNS over TLS back\u2011end sessions, resulting in responses not matching the intended queries. The consequence is that the resolver may deliver incorrect, stale, or no answers, effectively degrading DNS service quality or availability. This weakness is identified as integer overflow (CWE\u2011190).", "risk_and_exploitability": "The CVSS score of 3.1 indicates a low severity risk. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The likely attack scenario requires a client to send a high volume of tightly timed queries to a backend that accepts only TCP or TLS, which could be feasible on an open or poorly protected network. Given the low severity and lack of documented exploitation, the primary concern is operational disruption rather than a catastrophic breach."}}}}, "created": "2026-04-22T20:00:08.409870+00:00", "updated": "2026-04-27T19:30:12.037002+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$dnsdist"]}