Skip to main content

PowerDNS Recursor CVE-2026-33259

| EUVDEUVD-2026-24723 MEDIUM
Use After Free (CWE-416)
2026-04-22 security@open-xchange.com GHSA-6c6h-9v3q-3wqm
5.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.0 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
SUSE
3.1 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:03 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:10 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24723
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.0

DescriptionCVE.org

Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.

AnalysisAI

PowerDNS Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 suffer denial of service and potential data corruption when a malfunctioning RPZ provider causes concurrent transfers of the same RPZ zone, leading to use-after-free conditions, inconsistent zone data, and recursor crashes. The vulnerability requires high privilege attacker control over an RPZ provider and non-standard network conditions, resulting in availability and integrity impact with a CVSS score of 5.0.

Technical ContextAI

PowerDNS Recursor is a recursive DNS resolver that supports Response Policy Zone (RPZ) data feeds for DNS filtering and security. RPZ transfers are typically performed over AXFR (full zone transfer) protocol. The vulnerability stems from inadequate synchronization or state management when the same RPZ zone is transferred concurrently-a condition that should not occur under normal operation but can be triggered by a misconfigured or intentionally malicious RPZ provider. The underlying issue is a race condition in memory management during zone data handling, resulting in use-after-free conditions where freed memory is accessed after transfer completion. This affects the zone caching layer and recursor process stability. The CWE classification was not provided in the source data, but the use-after-free and concurrent access patterns suggest CWE-416 (Use After Free) and CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization).

RemediationAI

Vendor-released patch: upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, 5.4.1, or later depending on the currently deployed version. All three version branches have received patches addressing the concurrent RPZ transfer synchronization issue. Until patching is feasible, implement compensating controls by monitoring RPZ provider health and disabling or rate-limiting zone transfers from known malfunctioning providers; this requires RPZ provider redundancy or failover logic and reduces filtering coverage during provider unavailability. A second mitigation is to implement process monitoring and automatic recursor restart on crash detection, which restores availability but does not prevent data inconsistency or underlying memory corruption. For mission-critical recursive resolvers, prioritize patching over workarounds to eliminate root cause. Consult the PowerDNS security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-2026-03.html for version-specific guidance.

Vendor StatusVendor

SUSE

Severity: Low

Share

CVE-2026-33259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy