{"api_version":"1","generated_at":"2026-04-22T16:32:41+00:00","cve":"CVE-2026-33611","urls":{"html":"https://cve.report/CVE-2026-33611","api":"https://cve.report/api/cve/CVE-2026-33611.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-33611","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-33611"},"summary":{"title":"Insufficient validation of HTTPS and SVCB records","description":"An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.","state":"PUBLISHED","assigner":"OX","published_at":"2026-04-22 14:16:55","updated_at":"2026-04-22 15:16:14"},"problem_types":["CWE-190","Integer Overflow or Wraparound","CWE-190 CWE-190 Integer Overflow or Wraparound"],"metrics":[{"version":"3.1","source":"security@open-xchange.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html","name":"https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html","refsource":"security@open-xchange.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-33611","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33611","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"PowerDNS","product":"Authoritative","version":"affected 5.0.0 5.0.4 semver","platforms":[]},{"source":"CNA","vendor":"PowerDNS","product":"Authoritative","version":"affected 4.9.0 4.9.14 semver","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Tibs","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-33611","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-22T14:24:04.530345Z","version":"2.0.3"},"type":"ssvc"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-190","description":"CWE-190 Integer Overflow or Wraparound","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-22T14:24:57.121Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://repo.powerdns.com/","defaultStatus":"unaffected","modules":["SVCB/ALPN parsing"],"packageName":"pdns","product":"Authoritative","programFiles":["dnswriter.cc","rcpgenerator.cc"],"repo":"https://github.com/PowerDNS/pdns","vendor":"PowerDNS","versions":[{"lessThan":"5.0.4","status":"affected","version":"5.0.0","versionType":"semver"},{"lessThan":"4.9.14","status":"affected","version":"4.9.0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Tibs"}],"datePublic":"2026-04-08T22:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.</p>"}],"value":"An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"HIGH","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"description":"Integer Overflow or Wraparound","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-22T14:01:10.135Z","orgId":"8ce71d90-2354-404b-a86e-bec2cc4e6981","shortName":"OX"},"references":[{"url":"https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html"}],"source":{"discovery":"UNKNOWN"},"title":"Insufficient validation of HTTPS and SVCB records","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"8ce71d90-2354-404b-a86e-bec2cc4e6981","assignerShortName":"OX","cveId":"CVE-2026-33611","datePublished":"2026-04-22T14:01:10.135Z","dateReserved":"2026-03-23T12:58:38.267Z","dateUpdated":"2026-04-22T14:24:57.121Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 14:16:55","lastModifiedDate":"2026-04-22 15:16:14","problem_types":["CWE-190","Integer Overflow or Wraparound","CWE-190 CWE-190 Integer Overflow or Wraparound"],"metrics":{"cvssMetricV31":[{"source":"security@open-xchange.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.2,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"33611","Ordinal":"1","Title":"Insufficient validation of HTTPS and SVCB records","CVE":"CVE-2026-33611","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"33611","Ordinal":"1","NoteData":"An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.","Type":"Description","Title":"Insufficient validation of HTTPS and SVCB records"}]}}}