Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
AnalysisAI
Denial of service in PowerDNS Recursor allows remote unauthenticated attackers to exhaust resolver memory by publishing and querying crafted DNS zones that trigger excessive allocation in the negative and aggressive NSEC(3) caches. The vulnerability affects Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0, with a CVSS score of 5.3 reflecting low severity due to availability impact only (no code execution or data breach). Vendor-released patches are available.
Technical ContextAI
PowerDNS Recursor is a recursive DNS resolver that caches negative (NXDOMAIN, NODATA) and aggressive NSEC(3) denial-of-existence proofs to optimize query performance and reduce upstream traffic. The vulnerability lies in the caching logic for NSEC and NSEC3 records-specifically, the resolver does not properly limit the size or quantity of cache entries created in response to crafted zone queries. An attacker can craft DNS responses or publish malicious zones that cause the resolver to allocate disproportionately large memory structures in these caches, eventually exhausting available heap memory and triggering a denial of service. The root cause involves insufficient bounds checking on cache allocation for negative/aggressive proof records, allowing an unbounded growth attack vector over the DNS protocol (UDP/TCP port 53).
RemediationAI
Upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, 5.4.1, or later as applicable to your deployment. Check the vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for patch availability and release dates. If immediate patching is not feasible, implement rate limiting on DNS queries per client IP (e.g., using firewall or resolver-level rules) to limit the number of crafted zone queries an attacker can inject, reducing cache pollution impact. Additionally, consider restricting recursive resolution to trusted clients or networks via access control lists (ACLs) in the Recursor configuration; this limits exposure to external attackers but may impact legitimate recursive clients. Monitor resolver memory usage and cache statistics (via PowerDNS API or logs) for abnormal growth in NSEC/NSEC3 cache entries, which would indicate active exploitation attempts. Note that rate limiting may introduce latency for legitimate high-volume DNS consumers, and ACL restrictions reduce resolver utility for open recursive scenarios.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24721
GHSA-mfmv-pg93-65w5