CVE-2026-33257
Unrestricted Memory Allocation DoS in Open-Xchange Web Server
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerdns | authoritative | From 4.9.0 (inc) to 4.9.14 (exc) |
| powerdns | authoritative | From 5.0.0 (inc) to 5.0.4 (exc) |
| powerdns | dnsdist | From 1.9.0 (inc) to 1.9.13 (exc) |
| powerdns | dnsdist | From 2.0.0 (inc) to 2.0.4 (exc) |
| powerdns | recursor | From 5.2.0 (inc) to 5.2.9 (exc) |
| powerdns | recursor | From 5.3.0 (inc) to 5.3.6 (exc) |
| powerdns | recursor | 5.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service (DoS) by unlimited memory allocation in the internal webserver, which is disabled by default. It impacts availability only and does not lead to system compromise or data breach.
Since the vulnerability does not affect confidentiality or integrity of data, it does not directly impact compliance with standards like GDPR or HIPAA that focus on protecting personal data privacy and integrity.
However, availability is a component of many compliance frameworks, so organizations relying on affected PowerDNS components should mitigate the issue to maintain service availability and meet operational requirements.
Can you explain this vulnerability to me?
CVE-2026-33257 is a vulnerability in the internal webserver component of PowerDNS software. It occurs due to insufficient input validation, allowing an attacker to send specially crafted HTTP requests that cause the internal webserver to allocate unlimited memory.
This unlimited memory allocation leads to a denial of service (DoS) condition, making the affected service unavailable. The internal webserver is disabled by default, so exploitation requires it to be enabled.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) on the affected PowerDNS internal webserver. An attacker can cause the server to consume excessive memory, potentially crashing or severely degrading the service.
There is no risk of data compromise, privilege escalation, or other security breaches beyond availability loss. The vulnerability requires no privileges or user interaction to exploit and can be triggered remotely over the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the internal webserver of the affected PowerDNS components is enabled and accessible on your network.
Since the vulnerability is triggered by sending crafted HTTP requests to the internal webserver, you can attempt to detect it by scanning for open internal webserver ports and sending test HTTP requests to observe abnormal memory usage or service behavior.
Common commands to detect the presence of the internal webserver include using network scanning tools such as:
- nmap -p <internal_webserver_port> <target_ip> # To check if the internal webserver port is open
- curl http://<target_ip>:<internal_webserver_port>/ # To send HTTP requests and observe responses
Monitoring system memory usage and logs during these tests can help identify if crafted requests cause excessive memory allocation indicative of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade affected PowerDNS Authoritative Server versions to 4.9.14 or 5.0.4, or DNSdist versions to 1.9.13 or 2.0.4, which contain patches for this vulnerability.
- Disable the internal webserver if it is not required, as it is disabled by default and disabling it reduces exposure.
- Restrict network access to the internal webserver to trusted users or clients only, implementing network-level controls to limit exposure.
These steps help prevent exploitation by limiting access and removing the vulnerable code paths.