What is CVE-2026-33257?

CVE-2026-33257 is a security vulnerability identified in powerdns-recursor. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2026-33257?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2026-33257.

How can I protect against CVE-2026-33257?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2026-33257.

REPORT / 01

Analysis Report · powerdns-recursor rec-5.2.8 → rec-5.2.9 — CVE-2026-33257

Shared security patch analysis results

mode patchdiff ai copilot oswe-vscode-prime

02 · Lifecycle actions cancel · resume · skip · regenerate · redo

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2026-33257 NVD

AI-Generated Analysis

## 1. Vulnerability Background

What is this vulnerability?

- CVE-2026-33257 is a denial-of-service vulnerability in the YAHTTP internal HTTP parser implementation.
- The issue is rooted in ext/yahttp/yahttp/reqresp.cpp and reqresp.hpp, where incoming HTTP data is accepted and buffered without proper size enforcement.
- An attacker can drive the parser to allocate unbounded memory by sending carefully crafted HTTP input, causing the internal web server process to consume excessive RAM and fail.

Why is it critical/important?

- The flaw allows remote attackers to crash or degrade service availability of any process exposing the internal YAHTTP server.
- Even though the internal web server is disabled by default, it is often enabled in embedded or management contexts where access control may be weaker.
- Unlimited memory allocation is a classic and reliable DoS vector because it bypasses normal request handling limits and directly impacts process stability.

What systems/versions are affected?

- Any build of the affected codebase containing the unpatched ext/yahttp/yahttp/reqresp.cpp and reqresp.hpp implementation.
- The vulnerability is specific to the internal YAHTTP module and thus affects products or components using that internal web server.
- Since the internal server is disabled by default, only installations where it has been explicitly enabled or exposed are at risk.

## 2. Technical Details

Root cause analysis

- The parser failed to enforce a maximum HTTP header size during incremental input feeding. In `AsyncLoader<T>::feed`, incoming data was appended to `buffer` before any header size checks.
- The code used signed `ssize_t` for request and response size limits, creating signedness and overflow issues when comparing large unsigned body lengths.
- Chunked body parsing used `sscanf(buf, "%x", &chunk_size)` while `chunk_size` was a `size_t`, causing incorrect parsing on 64-bit architectures and weakening validation.
- Chunked body logic lacked aggregate size enforcement. The parser checked individual chunk sizes only against extreme bounds, but not against the configured maximum overall body size, allowing chunked payloads to grow beyond intended limits.

Attack vector and exploitation conditions

- An attacker who can reach the internal YAHTTP server can send a malicious HTTP request.
- The parser processes input incrementally through `AsyncLoader<T>::feed`.
- If the internal server is enabled, a request with oversized headers or chunked transfer encoding can trigger unbounded buffering.
- Specific exploitation conditions:
  - header parsing state remains less than 2 while data is appended,
  - body size comparisons are performed with signed conversions,
  - chunked transfer encoding is accepted and parsed without enforcing aggregate body limits.

Security implications

- Denial of Service: the most direct impact is memory exhaustion and process instability.
- The bug can be triggered without completing a valid request, making it relatively easy to exploit from a remote client.
- A large or malformed request may force the target process to allocate excessive memory before rejecting input, maximizing impact.

## 3. Patch Analysis

What code changes were made?

- New header-size handling constants and state were introduced in `reqresp.hpp`:
  - `YAHTTP_MAX_HEADER_SIZE` default set to 100 KB.
  - `max_header_size` field added.
  - `headersize` field added.
  - `hasBody` field added.
- Size-related fields were changed from `ssize_t` and `int` to `size_t`:
  - `max_request_size`, `max_response_size`, and `chunk_size`.
- In `AsyncLoader<T>::feed`:
  - header size is incremented and checked before appending to the buffer.
  - parse errors are thrown immediately when header size exceeds limits.
- In chunk parsing:
  - format specifier changed from `%x` to `%zx` to correctly parse `size_t` values.
  - chunk size validation now includes `chunk_size > maxbody`.
  - aggregate body length is checked before appending chunk data to `bodybuf`.
- In body size validation:
  - removed unsafe `static_cast<ssize_t>` comparisons and used direct unsigned comparisons.

How do these changes fix the vulnerability?

- Enforcing header size limits before buffer growth prevents unlimited memory allocation via oversized headers.
- Changing size limits to `size_t` removes signedness mismatches and prevents large unsigned values from wrapping into negative signed integers.
- Correct chunk size parsing ensures that large chunk lengths are interpreted accurately and not silently misparsed.
- Aggregate body size checks stop chunked requests from bypassing maximum body length limits through repeated chunk segments.

Security improvements introduced

- explicit header size limit enforcement
- safer type usage for size and length comparisons
- robust validation for chunked transfer bodies
- initialization of parser state variables to avoid stale or uninitialized values
- earlier rejection of malformed or oversized HTTP input

## 4. Proof of Concept (PoC) Guide

Prerequisites for exploitation

- A vulnerable build of YAHTTP with the internal web server enabled.
- Network access to the internal HTTP endpoint.
- A tool capable of sending raw HTTP requests, e.g. netcat or custom script.

Step-by-step exploitation approach

1. Construct a request with very large header data:
   - Send an HTTP request line followed by a long sequence of headers or a single oversized header value.
   - The parser will keep appending header data to the input buffer without checking total header size.
2. Alternatively, exploit chunked body parsing:
   - Send `Transfer-Encoding: chunked`.
   - Use a chunk size declaration that is valid but large, and continue sending chunk data in repeated segments.
   - Because the vulnerable parser only checked individual chunk size bounds and had signedness issues, it may accept more data than allowed and buffer it.
3. Monitor the server process:
   - Observe memory usage rising as the request is processed.
   - Expect the target process to either terminate or become unresponsive once memory is exhausted.

Expected behavior vs exploited behavior

- Expected behavior on patched code:
  - The server rejects oversized headers with a parse error.
  - Chunked bodies exceeding configured maximum size are rejected before excessive allocation.
  - Resource usage remains bounded.
- Exploited behavior on vulnerable code:
  - The server accepts large header/body input until memory is exhausted.
  - Process memory usage grows unbounded.
  - The service may crash, hang, or be killed by the operating system.

How to verify the vulnerability exists

- Send an oversized header request and confirm the process consumes increasing memory.
- Inspect logs for absence of header size rejection and for request handling continuing past normal limits.
- On patched systems, verify that the server responds with a parse error on oversized headers or chunked bodies, and memory remains stable.

## 5. Recommendations

Mitigation strategies

- Apply the patched code or upgrade to a version containing the fix.
- Keep the internal YAHTTP web server disabled unless explicitly required.
- If the internal server must be used, restrict access via firewall rules or network segmentation.
- Enforce additional connection and request rate limits around the internal server.

Detection methods

- Monitor for parse errors such as:
  - "Request header too large"
  - "Response header too large"
  - "Max request body size exceeded"
  - "Chunked body is too large"
- Watch for abnormal memory growth in processes hosting YAHTTP.
- Detect repeated malformed or oversized HTTP requests targeting internal endpoints.

Best practices to prevent similar issues

- Validate protocol input sizes before buffering or allocating memory.
- Use unsigned size types consistently for length and size comparisons.
- Avoid unsafe signed/unsigned casts when comparing sizes.
- Use correct format specifiers for the target data type (`%zx` for `size_t`).
- Implement explicit protocol limits for headers, bodies, and chunked transfer encodings.
- Apply fuzzing and boundary testing to HTTP parsers to identify unbounded allocation paths.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

ext/yahttp/yahttp/reqresp.cpp AI: 4 vulnerabilities 4 true positive(s) CVE-2026-33257

--- cache/pdns_rec-5.2.8/ext/yahttp/yahttp/reqresp.cpp	2026-04-29 05:56:10.170984596 +0000+++ cache/pdns_rec-5.2.9/ext/yahttp/yahttp/reqresp.cpp	2026-04-29 05:56:11.939110627 +0000@@ -40,7 +40,19 @@   }    template <class T>-  bool AsyncLoader<T>::feed(const std::string& somedata) {+  bool AsyncLoader<T>::feed(const std::string& somedata)+  {+    if (state < 2) {+      headersize += somedata.length(); // maye include some body data, we don't know yet...+      if (headersize > target->max_header_size) {+        if (target->kind == YAHTTP_TYPE_REQUEST) {+          throw ParseError("Request header too large");+        }+        else {+          throw ParseError("Response header too large");+        }+      }+    }     buffer.append(somedata);     while(state < 2) {       int cr=0;@@ -155,8 +167,8 @@         maxbody = minbody;       }       if (minbody < 1) return true; // guess there isn't anything left.-      if (target->kind == YAHTTP_TYPE_REQUEST && static_cast<ssize_t>(minbody) > target->max_request_size) throw ParseError("Max request body size exceeded");-      else if (target->kind == YAHTTP_TYPE_RESPONSE && static_cast<ssize_t>(minbody) > target->max_response_size) throw ParseError("Max response body size exceeded");+      if (target->kind == YAHTTP_TYPE_REQUEST && minbody > target->max_request_size) throw ParseError("Max request body size exceeded");+      else if (target->kind == YAHTTP_TYPE_RESPONSE && minbody > target->max_response_size) throw ParseError("Max response body size exceeded");     }      if (maxbody == 0) hasBody = false;@@ -175,20 +187,23 @@           buffer.copy(buf, pos);           buf[pos]=0; // just in case...           buffer.erase(buffer.begin(), buffer.begin()+pos+1); // remove line from buffer-          if (sscanf(buf, "%x", &chunk_size) != 1) {+          if (sscanf(buf, "%zx", &chunk_size) != 1) {             throw ParseError("Unable to parse chunk size");           }           if (chunk_size == 0) { state = 3; break; } // last chunk-          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2)) {+          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2) || chunk_size > maxbody) {             throw ParseError("Chunk is too large");           }         } else {           int crlf=1;-          if (buffer.size() < static_cast<size_t>(chunk_size+1)) return false; // expect newline+          if (buffer.size() < chunk_size+1) return false; // expect newline           if (buffer.at(chunk_size) == '\r') {-            if (buffer.size() < static_cast<size_t>(chunk_size+2) || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return+            if (buffer.size() < chunk_size+2 || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return             crlf=2;           } else if (buffer.at(chunk_size) != '\n') return false;+          if (bodybuf.str().length() + chunk_size > maxbody) {+            throw ParseError("Chunked body is too large");+          }           std::string tmp = buffer.substr(0, chunk_size);           buffer.erase(buffer.begin(), buffer.begin()+chunk_size+crlf);           bodybuf << tmp;

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Header size limit enforcement missing ext/yahttp/yahttp/reqresp.cpp Lines 40-52
Old Code
  bool AsyncLoader<T>::feed(const std::string& somedata) {
    buffer.append(somedata);
    while(state < 2) {
      ...
Fixed Code
  bool AsyncLoader<T>::feed(const std::string& somedata)
  {
    if (state < 2) {
      headersize += somedata.length();
      if (headersize > target->max_header_size) {
        if (target->kind == YAHTTP_TYPE_REQUEST) {
          throw ParseError("Request header too large");
        }
        else {
          throw ParseError("Response header too large");
        }
      }
    }
    buffer.append(somedata);
    while(state < 2) {
      ...

Vulnerability Existed: yes
TRUE POSITIVE
Signedness/overflow in body size comparison ext/yahttp/yahttp/reqresp.cpp Lines 155-160
Old Code
      if (minbody < 1) return true;
      if (target->kind == YAHTTP_TYPE_REQUEST && static_cast<ssize_t>(minbody) > target->max_request_size) throw ParseError("Max request body size exceeded");
      else if (target->kind == YAHTTP_TYPE_RESPONSE && static_cast<ssize_t>(minbody) > target->max_response_size) throw ParseError("Max response body size exceeded");
Fixed Code
      if (minbody < 1) return true;
      if (target->kind == YAHTTP_TYPE_REQUEST && minbody > target->max_request_size) throw ParseError("Max request body size exceeded");
      else if (target->kind == YAHTTP_TYPE_RESPONSE && minbody > target->max_response_size) throw ParseError("Max response body size exceeded");

Vulnerability Existed: yes
TRUE POSITIVE
Incorrect chunk size parsing format string ext/yahttp/yahttp/reqresp.cpp Lines 175-180
Old Code
          if (sscanf(buf, "%x", &chunk_size) != 1) {
            throw ParseError("Unable to parse chunk size");
          }
Fixed Code
          if (sscanf(buf, "%zx", &chunk_size) != 1) {
            throw ParseError("Unable to parse chunk size");
          }

Vulnerability Existed: yes
TRUE POSITIVE
Chunked body length limit bypass ext/yahttp/yahttp/reqresp.cpp Lines 175-195
Old Code
          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2)) {
            throw ParseError("Chunk is too large");
          }
...
          if (buffer.size() < static_cast<size_t>(chunk_size+1)) return false;
...
          std::string tmp = buffer.substr(0, chunk_size);
          buffer.erase(buffer.begin(), buffer.begin()+chunk_size+crlf);
          bodybuf << tmp;
Fixed Code
          if (chunk_size > (std::numeric_limits<decltype(chunk_size)>::max() - 2) || chunk_size > maxbody) {
            throw ParseError("Chunk is too large");
          }
...
          if (buffer.size() < chunk_size+1) return false;
...
          if (bodybuf.str().length() + chunk_size > maxbody) {
            throw ParseError("Chunked body is too large");
          }
          std::string tmp = buffer.substr(0, chunk_size);
          buffer.erase(buffer.begin(), buffer.begin()+chunk_size+crlf);
          bodybuf << tmp;

CVE Analysis Results:

CVE-2026-33257: Yes

View CVE Description

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

ext/yahttp/yahttp/reqresp.hpp AI: 2 vulnerabilities 2 true positive(s) CVE-2026-33257

--- cache/pdns_rec-5.2.8/ext/yahttp/yahttp/reqresp.hpp	2026-04-29 05:56:10.170984596 +0000+++ cache/pdns_rec-5.2.9/ext/yahttp/yahttp/reqresp.hpp	2026-04-29 05:56:11.939110627 +0000@@ -20,6 +20,10 @@  #include <algorithm> +#ifndef YAHTTP_MAX_HEADER_SIZE+#define YAHTTP_MAX_HEADER_SIZE (100 * 1024)+#endif+ #ifndef YAHTTP_MAX_REQUEST_SIZE #define YAHTTP_MAX_REQUEST_SIZE 2097152 #endif@@ -108,6 +112,7 @@ #endif       max_request_size = YAHTTP_MAX_REQUEST_SIZE;       max_response_size = YAHTTP_MAX_RESPONSE_SIZE;+      max_header_size = YAHTTP_MAX_HEADER_SIZE;       url = "";       method = "";       statusText = "";@@ -130,6 +135,7 @@       this->parameters = rhs.parameters; this->getvars = rhs.getvars;       this->body = rhs.body; this->max_request_size = rhs.max_request_size;       this->max_response_size = rhs.max_response_size; this->version = rhs.version;+      this->max_header_size = rhs.max_header_size; #ifdef HAVE_CPP_FUNC_PTR       this->renderer = rhs.renderer; #endif@@ -143,6 +149,7 @@       this->parameters = rhs.parameters; this->getvars = rhs.getvars;       this->body = rhs.body; this->max_request_size = rhs.max_request_size;       this->max_response_size = rhs.max_response_size; this->version = rhs.version;+      this->max_header_size = rhs.max_header_size; #ifdef HAVE_CPP_FUNC_PTR       this->renderer = rhs.renderer; #endif@@ -166,8 +173,9 @@      std::string body; //<! the actual content -    ssize_t max_request_size; //<! maximum size of request-    ssize_t max_response_size;  //<! maximum size of response+    size_t max_request_size; //<! maximum size of request+    size_t max_response_size; //<! maximum size of response+    size_t max_header_size; //<! maximum size of headers     bool is_multipart; //<! if the request is multipart, prevents Content-Length header #ifdef HAVE_CPP_FUNC_PTR     funcptr::function<size_t(const HTTPBase*,std::ostream&,bool)> renderer; //<! rendering function@@ -301,10 +309,11 @@          std::string buffer; //<! read buffer      bool chunked; //<! whether we are parsing chunked data-    int chunk_size; //<! expected size of next chunk+    size_t chunk_size; //<! expected size of next chunk     std::ostringstream bodybuf; //<! buffer for body     size_t maxbody; //<! maximum size of body     size_t minbody; //<! minimum size of body+    size_t headersize;                      bool hasBody; //<! are we expecting body      void keyValuePair(const std::string &keyvalue, std::string &key, std::string &value); //<! key value pair parser helper@@ -315,6 +324,7 @@       pos = 0; state = 0; this->target = target_;       hasBody = false;       buffer = "";+      headersize = 0;       this->target->initialize();     }; //<! Initialize the parser for target and clear state     bool feed(const std::string& somedata); //<! Feed data to the parser

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Denial of Service via unbounded HTTP header size ext/yahttp/yahttp/reqresp.hpp lines 20-24,108-112,130-135,143-149,301-324
Old Code
#include <algorithm>

#ifndef YAHTTP_MAX_REQUEST_SIZE
#define YAHTTP_MAX_REQUEST_SIZE 2097152
#endif

    ssize_t max_request_size; //<! maximum size of request
    ssize_t max_response_size;  //<! maximum size of response
    bool is_multipart; //<! if the request is multipart, prevents Content-Length header

    int chunk_size; //<! expected size of next chunk

    std::ostringstream bodybuf; //<! buffer for body
    size_t maxbody; //<! maximum size of body
    size_t minbody; //<! minimum size of body

    buffer = "";
    this->target->initialize();
Fixed Code
#include <algorithm>

#ifndef YAHTTP_MAX_HEADER_SIZE
#define YAHTTP_MAX_HEADER_SIZE (100 * 1024)
#endif

#ifndef YAHTTP_MAX_REQUEST_SIZE
#define YAHTTP_MAX_REQUEST_SIZE 2097152
#endif

    size_t max_request_size; //<! maximum size of request
    size_t max_response_size; //<! maximum size of response
    size_t max_header_size; //<! maximum size of headers
    bool is_multipart; //<! if the request is multipart, prevents Content-Length header

    size_t chunk_size; //<! expected size of next chunk

    std::ostringstream bodybuf; //<! buffer for body
    size_t maxbody; //<! maximum size of body
    size_t minbody; //<! minimum size of body
    size_t headersize;                 
    bool hasBody; //<! are we expecting body

    buffer = "";
    headersize = 0;
    this->target->initialize();
Vulnerability Existed: yes
TRUE POSITIVE
Integer signedness/overflow in HTTP parser size fields ext/yahttp/yahttp/reqresp.hpp lines 166-173,301-309
Old Code
    ssize_t max_request_size; //<! maximum size of request
    ssize_t max_response_size;  //<! maximum size of response
    bool is_multipart; //<! if the request is multipart, prevents Content-Length header

    std::string buffer; //<! read buffer 
    bool chunked; //<! whether we are parsing chunked data
    int chunk_size; //<! expected size of next chunk
    std::ostringstream bodybuf; //<! buffer for body
Fixed Code
    size_t max_request_size; //<! maximum size of request
    size_t max_response_size; //<! maximum size of response
    size_t max_header_size; //<! maximum size of headers
    bool is_multipart; //<! if the request is multipart, prevents Content-Length header

    std::string buffer; //<! read buffer 
    bool chunked; //<! whether we are parsing chunked data
    size_t chunk_size; //<! expected size of next chunk
    std::ostringstream bodybuf; //<! buffer for body

CVE Analysis Results:

CVE-2026-33257: Yes

View CVE Description

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

Showing 1 to 2 of 2 results