External risk intelligence

PowerDNS Authoritative bug lets attackers disable DNS service

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-33608

A critical flaw in PowerDNS Authoritative lets attackers disable your DNS service by sending a bad request, causing it to stop working until manually fixed. This affects internet-facing systems.

5Halo Surface Signal

Code Injection

Powerdns Authoritative

4.9.0 to before 4.9.145.0.0 to before 5.0.4

External exposure likelihood

Halo Surface Signal score for CVE-2026-33608

PowerDNS Authoritative is a core DNS server designed for public-facing network infrastructure. By nature, it operates as an externally reachable service. While the notification mechanism specifically may be restricted in some configurations, the product is fundamentally intended for, and commonly deployed in, public-facing roles to handle network resolution requests.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in PowerDNS Authoritative allows an attacker to send a crafted notification request that disrupts the DNS backend. This can lead to the backend becoming inoperable on restart, requiring manual intervention to restore service.

Requires remote network access.
Can cause denial of service.
Leads to manual recovery needed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability to disrupt DNS services by sending a malicious notify request that corrupts the bind backend configuration. This would render the DNS server inoperable upon restart, requiring manual intervention to restore functionality.

Requires no user interaction.
Targets the notify request functionality.
Disrupts DNS service availability.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing due to its potential for remote code execution and impact on critical network infrastructure. The ability to disrupt DNS resolution services could be leveraged for denial-of-service attacks or as a stepping stone for more sophisticated intrusions, although exploiting it requires sending a specific notification request.

Remote code execution potential
Impacts critical DNS infrastructure
Requires specific request

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching PowerDNS Authoritative versions 4.9.0 through 4.9.13 and 5.0.0 through 5.0.3 to address the critical vulnerability. If immediate patching is not feasible, implement network segmentation or strict access controls for the affected services to mitigate the risk of exploitation.

Upgrade to PowerDNS Authoritative 4.9.14 or 5.0.4.
Isolate affected PowerDNS instances.
Monitor for unexpected DNS resolution failures.

Frequently asked questions

What is the impact of CVE-2026-33608 on PowerDNS Authoritative servers?

CVE-2026-33608 allows an attacker to send a crafted notify request that results in an invalid configuration for the bind backend. This prevents the backend from running after a restart, necessitating manual intervention to fix the issue and restore service.

How can an attacker exploit the vulnerability in PowerDNS Authoritative?

An attacker can exploit this vulnerability by sending a specific notify request to the PowerDNS Authoritative server. This malicious request corrupts the bind backend's configuration, leading to a denial of service when the server attempts to restart.

What weakness class does CVE-2026-33608 fall under?

This vulnerability is classified under CWE-94, which relates to code injection, specifically the failure to prevent the injection of unintended code or commands into an application. In this case, the attacker's request leads to an invalid configuration that effectively breaks the backend.

How relevant is the Halo Surface Signal to this vulnerability in PowerDNS Authoritative?

Halo classifies this CVE as 'Very likely' to be exploited due to PowerDNS Authoritative being a core DNS server typically deployed in public-facing network infrastructure to handle external resolution requests. Its nature as an externally reachable service increases the relevance of this vulnerability.

What steps should be taken to address CVE-2026-33608?

It is crucial to patch PowerDNS Authoritative to versions 4.9.14 or 5.0.4. If immediate patching is not possible, consider network segmentation or strict access controls for the affected services to reduce the risk of exploitation. Continuous monitoring for any unexpected DNS resolution failures is also advised.

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.