PowerDNS Recursor CVE-2026-33259

| EUVD-2026-24723 MEDIUM
Use After Free (CWE-416)
2026-04-22 [email protected] GHSA-6c6h-9v3q-3wqm
Denial Of Service Use After Free Memory Corruption
5.0
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 22, 2026 - 13:10 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD

DescriptionNVD

Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.

AnalysisAI

PowerDNS Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 suffer denial of service and potential data corruption when a malfunctioning RPZ provider causes concurrent transfers of the same RPZ zone, leading to use-after-free conditions, inconsistent zone data, and recursor crashes. The vulnerability requires high privilege attacker control over an RPZ provider and non-standard network conditions, resulting in availability and integrity impact with a CVSS score of 5.0.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-33259 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy