Recursor
CVE-2026-0398
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
AnalysisAI
DNS recursive resolver denial-of-service via crafted zones and CNAME chain manipulation allows unauthenticated attackers to exhaust server resources and potentially poison the resolver's cache. The vulnerability affects Recursor instances exposed to untrusted DNS queries, enabling attackers to degrade performance or compromise DNS resolution integrity. No patch is currently available.
Technical ContextAI
This vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of response
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulne
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]
An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high sever
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN respo
An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigge
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today