CVE-2026-33260

Name	CVE-2026-33260
Description	An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-6233-1, DSA-6234-1, DSA-6235-1
Debian Bugs	1135373

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dnsdist (PTS)	bullseye	1.5.1-3	vulnerable
	bookworm	1.7.3-2	vulnerable
	trixie	1.9.10-1+deb13u1	vulnerable
	trixie (security)	1.9.14-0+deb13u1	fixed
	forky, sid	2.0.5-1	fixed
pdns (PTS)	bullseye	4.4.1-1	vulnerable
	bookworm	4.7.3-2	vulnerable
	trixie	4.9.7-1	vulnerable
	trixie (security)	4.9.14-0+deb13u1	fixed
	forky, sid	5.0.3-1	vulnerable
pdns-recursor (PTS)	bullseye	4.4.2-3	vulnerable
	bookworm, bookworm (security)	4.8.8-1+deb12u1	vulnerable
	trixie	5.2.8-0+deb13u1	vulnerable
	trixie (security)	5.2.9-0+deb13u1	fixed
	forky, sid	5.4.1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
dnsdist	source	bullseye	(unfixed)	end-of-life
dnsdist	source	bookworm	(unfixed)	end-of-life
dnsdist	source	trixie	1.9.14-0+deb13u1		DSA-6235-1
dnsdist	source	(unstable)	2.0.4-1
pdns	source	bullseye	(unfixed)	end-of-life
pdns	source	bookworm	(unfixed)	end-of-life
pdns	source	trixie	4.9.14-0+deb13u1		DSA-6233-1
pdns	source	(unstable)	(unfixed)			1135373
pdns-recursor	source	bullseye	(unfixed)	end-of-life
pdns-recursor	source	bookworm	(unfixed)	end-of-life
pdns-recursor	source	trixie	5.2.9-0+deb13u1		DSA-6234-1
pdns-recursor	source	(unstable)	5.3.0-1

Notes

[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
[bookworm] - pdns <end-of-life> (See #1119290)
[bullseye] - pdns <end-of-life> (see DLA 4471)
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html#cve-2026-33260-insufficient-input-validation-of-internal-webserver
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-03.html#cve-2026-33260-insufficient-input-validation-of-internal-web-server
According to the advisory affects only PowerDNS Recursor up to and including 5.2.8,
Mark the first version in unstable after 5.2.9 as the fixed version.
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html