CVE-2026-33260
Unrestricted Memory Allocation DoS in Open-Xchange Web Server
Publication date: 2026-04-22
Last updated on: 2026-04-27
Assigner: Open-Xchange
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerdns | authoritative | From 4.9.0 (inc) to 4.9.14 (exc) |
| powerdns | authoritative | From 5.0.0 (inc) to 5.0.4 (exc) |
| powerdns | dnsdist | From 1.9.0 (inc) to 1.9.13 (exc) |
| powerdns | dnsdist | From 2.0.0 (inc) to 2.0.4 (exc) |
| powerdns | recursor | From 5.2.0 (inc) to 5.2.9 (exc) |
| powerdns | recursor | From 5.3.0 (inc) to 5.3.6 (exc) |
| powerdns | recursor | 5.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability allows an attacker to send a specially crafted web request to the internal web server that triggers unlimited memory allocation. This excessive memory usage can cause the server to become unresponsive or crash, resulting in a denial of service condition.
It is important to note that the internal web server is disabled by default, which may reduce the likelihood of exploitation.
How can this vulnerability impact me? :
The primary impact of this vulnerability is a denial of service (DoS) attack. An attacker exploiting this issue can cause the internal web server to consume unlimited memory, potentially leading to system instability, crashes, or unavailability of services relying on that server.
What immediate steps should I take to mitigate this vulnerability?
Since the internal web server is disabled by default, ensure that it remains disabled if it is not needed.
Avoid exposing the internal web server to untrusted networks to prevent attackers from sending malicious web requests that cause unlimited memory allocation and denial of service.