Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.
AnalysisAI
Null pointer dereference in PowerDNS Recursor allows remote attackers to trigger a denial of service by sending crafted DNS replies that bypass a missing consistency check. The vulnerability affects Recursor versions 5.2.0 through 5.2.8, 5.3.0 through 5.3.5, and 5.4.0, with CVSS 5.9 reflecting high availability impact but requiring special network conditions (AC:H). No public exploit code identified at time of analysis.
Technical ContextAI
PowerDNS Recursor is a DNS recursive resolver that processes incoming DNS queries and replies. The vulnerability stems from insufficient validation when handling DNS reply messages, allowing a crafted reply to reach a code path that dereferences a null pointer without proper initialization or sanity checking. The missing consistency check fails to validate the state of internal data structures before dereferencing, a classic memory safety issue. The CVSS vector (AV:N/AC:H) indicates the attack requires network-level access but elevated complexity due to specific network conditions or timing requirements that must be satisfied for the null pointer dereference to occur. The note that 'cookies are disabled by default' suggests the vulnerability may relate to DNSSEC or DNS cookie validation mechanisms that, when absent, create a window for malformed replies to trigger the flaw.
RemediationAI
Upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, 5.4.1 or later according to your current branch. For 5.2.x deployments, apply upgrade to 5.2.9; for 5.3.x, upgrade to 5.3.6; for 5.4.x, upgrade to 5.4.1. Until patching is feasible, implement network-level restrictions by limiting DNS reply sources to authorized upstream nameservers only - configure strict acl rules in recursor.conf to accept replies only from explicitly whitelisted IP addresses, which raises the bar for crafting malicious replies by requiring network proximity or BGP hijacking. This mitigation has minimal side effects if properly scoped but does not eliminate risk if an authorized upstream is compromised. Refer to the vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for detailed patching instructions.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24729
GHSA-ghrj-5797-7659