{"id":"CVE-2026-33596","summary":"TCP backend stream ID overflow","details":"A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.","modified":"2026-07-15T19:09:26.172448Z","published":"2026-04-22T13:47:10.454Z","related":["SUSE-SU-2026:22319-1","openSUSE-SU-2026:10632-1","openSUSE-SU-2026:21015-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33596.json","cna_assigner":"OX"},"references":[{"type":"WEB","url":"https://repo.powerdns.com/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33596.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33596"},{"type":"ADVISORY","url":"https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-04.html"},{"type":"PACKAGE","url":"https://github.com/PowerDNS/pdns"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/powerdns/pdns","events":[{"introduced":"298a9d67fb760a12eabe89164f92fb814572aea8"},{"fixed":"642a2bb5b67b2bf5c856819273d8f41fecbc0da8"},{"introduced":"89747e81bc60d7950276d5fda3ca669fa81b7cf9"},{"fixed":"bfd0cbf4bf5c1f8757d0cd94c86ea88caf7b2f6d"}],"database_specific":{"cpe":"cpe:2.3:a:powerdns:dnsdist:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"1.9.0"},{"fixed":"1.9.13"},{"introduced":"2.0.0"},{"fixed":"2.0.4"}],"source":"CPE_RANGE"}}],"versions":["dnsdist-2.0.2","dnsdist-2.0.1","dnsdist-1.9.11","dnsdist-2.0.0","dnsdist-1.9.10","dnsdist-1.9.9","dnsdist-1.9.8","dnsdist-1.9.7","dnsdist-1.9.6","dnsdist-1.9.5","dnsdist-1.9.4","dnsdist-1.9.3","dnsdist-1.9.2","dnsdist-1.9.1","dnsdist-1.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33596.json","vanir_signatures_modified":"2026-07-15T19:09:26Z","vanir_signatures":[{"source":"https://github.com/powerdns/pdns/commit/642a2bb5b67b2bf5c856819273d8f41fecbc0da8","target":{"file":"pdns/dnscrypt.cc"},"deprecated":false,"digest":{"line_hashes":["152898936404715912717012814958473792269","4575082192570469972237185990035341899","177678008705605303260633753884530753700","136680451824217662945478382805808332729","204969285221527224213910579710674063651","66014210593085438182573307698386496097","17525951591113452044796585153110335921"],"threshold":0.9},"id":"CVE-2026-33596-2829cf85","signature_type":"Line","signature_version":"v1"},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/powerdns/pdns/commit/642a2bb5b67b2bf5c856819273d8f41fecbc0da8","target":{"file":"pdns/dnscrypt.cc","function":"DNSCryptQuery::computePaddingSize"},"deprecated":false,"digest":{"function_hash":"172078194597412758162700597563448847475","length":706},"id":"CVE-2026-33596-4b79aae9"},{"deprecated":false,"digest":{"function_hash":"219139187612696838153193600735147256736","length":3007},"id":"CVE-2026-33596-b8fc9376","signature_type":"Function","signature_version":"v1","source":"https://github.com/powerdns/pdns/commit/642a2bb5b67b2bf5c856819273d8f41fecbc0da8","target":{"file":"pdns/dnscrypt.cc","function":"DNSCryptQuery::encryptResponse"}},{"target":{"file":"pdns/dnsdistdist/dnscrypt.cc"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["6864841829016440226917919286801415092","177254253808237988567579585374243740684","281318965586644528261302210434407655020","236182772979616684272007619339406923158","321739554045469880473225520600194266713","204969285221527224213910579710674063651","66014210593085438182573307698386496097","17525951591113452044796585153110335921"]},"id":"CVE-2026-33596-d901a0a8","signature_type":"Line","signature_version":"v1","source":"https://github.com/powerdns/pdns/commit/bfd0cbf4bf5c1f8757d0cd94c86ea88caf7b2f6d"},{"deprecated":false,"digest":{"function_hash":"276771802078087666188325581091504637136","length":839},"id":"CVE-2026-33596-e809c528","signature_type":"Function","signature_version":"v1","source":"https://github.com/powerdns/pdns/commit/bfd0cbf4bf5c1f8757d0cd94c86ea88caf7b2f6d","target":{"file":"pdns/dnsdistdist/dnscrypt.cc","function":"DNSCryptQuery::computePaddingSize"}},{"source":"https://github.com/powerdns/pdns/commit/bfd0cbf4bf5c1f8757d0cd94c86ea88caf7b2f6d","target":{"file":"pdns/dnsdistdist/dnscrypt.cc","function":"DNSCryptQuery::encryptResponse"},"deprecated":false,"digest":{"function_hash":"259782563136530440917701746095514260405","length":3491},"id":"CVE-2026-33596-f8ee4cee","signature_type":"Function","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}