Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
6DescriptionCVE.org
Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
AnalysisAI
PowerDNS Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 suffer denial of service and potential data corruption when a malfunctioning RPZ provider causes concurrent transfers of the same RPZ zone, leading to use-after-free conditions, inconsistent zone data, and recursor crashes. The vulnerability requires high privilege attacker control over an RPZ provider and non-standard network conditions, resulting in availability and integrity impact with a CVSS score of 5.0.
Technical ContextAI
PowerDNS Recursor is a recursive DNS resolver that supports Response Policy Zone (RPZ) data feeds for DNS filtering and security. RPZ transfers are typically performed over AXFR (full zone transfer) protocol. The vulnerability stems from inadequate synchronization or state management when the same RPZ zone is transferred concurrently-a condition that should not occur under normal operation but can be triggered by a misconfigured or intentionally malicious RPZ provider. The underlying issue is a race condition in memory management during zone data handling, resulting in use-after-free conditions where freed memory is accessed after transfer completion. This affects the zone caching layer and recursor process stability. The CWE classification was not provided in the source data, but the use-after-free and concurrent access patterns suggest CWE-416 (Use After Free) and CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization).
RemediationAI
Vendor-released patch: upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, 5.4.1, or later depending on the currently deployed version. All three version branches have received patches addressing the concurrent RPZ transfer synchronization issue. Until patching is feasible, implement compensating controls by monitoring RPZ provider health and disabling or rate-limiting zone transfers from known malfunctioning providers; this requires RPZ provider redundancy or failover logic and reduces filtering coverage during provider unavailability. A second mitigation is to implement process monitoring and automatic recursor restart on crash detection, which restores availability but does not prevent data inconsistency or underlying memory corruption. For mission-critical recursive resolvers, prioritize patching over workarounds to eliminate root cause. Consult the PowerDNS security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-2026-03.html for version-specific guidance.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: LowShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24723
GHSA-6c6h-9v3q-3wqm