CVE-2026-33598
Received Received - Intake
Out-of-Bounds Read in Open-Xchange Lua Packet Cache

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: Open-Xchange

Description
A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33598
EUVD
EUVD-2026-24939
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
powerdns dnsdist From 1.9.0 (inc) to 1.9.13 (exc)
powerdns dnsdist From 2.0.0 (inc) to 2.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when a cached crafted response triggers an out-of-bounds read. This happens if custom Lua code calls the functions getDomainListByAddress() or getAddressListByDomain() on a packet cache.

Impact Analysis

The vulnerability can lead to an out-of-bounds read, which may cause limited information disclosure (confidentiality impact) and a partial denial of service (availability impact). The CVSS score indicates a low to medium severity with no impact on integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33598. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart