Skip to main content

PowerDNS Recursor CVE-2026-33262

| EUVDEUVD-2026-24729 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 security@open-xchange.com GHSA-ghrj-5797-7659
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:02 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:10 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24729
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.9

DescriptionCVE.org

An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.

AnalysisAI

Null pointer dereference in PowerDNS Recursor allows remote attackers to trigger a denial of service by sending crafted DNS replies that bypass a missing consistency check. The vulnerability affects Recursor versions 5.2.0 through 5.2.8, 5.3.0 through 5.3.5, and 5.4.0, with CVSS 5.9 reflecting high availability impact but requiring special network conditions (AC:H). No public exploit code identified at time of analysis.

Technical ContextAI

PowerDNS Recursor is a DNS recursive resolver that processes incoming DNS queries and replies. The vulnerability stems from insufficient validation when handling DNS reply messages, allowing a crafted reply to reach a code path that dereferences a null pointer without proper initialization or sanity checking. The missing consistency check fails to validate the state of internal data structures before dereferencing, a classic memory safety issue. The CVSS vector (AV:N/AC:H) indicates the attack requires network-level access but elevated complexity due to specific network conditions or timing requirements that must be satisfied for the null pointer dereference to occur. The note that 'cookies are disabled by default' suggests the vulnerability may relate to DNSSEC or DNS cookie validation mechanisms that, when absent, create a window for malformed replies to trigger the flaw.

RemediationAI

Upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, 5.4.1 or later according to your current branch. For 5.2.x deployments, apply upgrade to 5.2.9; for 5.3.x, upgrade to 5.3.6; for 5.4.x, upgrade to 5.4.1. Until patching is feasible, implement network-level restrictions by limiting DNS reply sources to authorized upstream nameservers only - configure strict acl rules in recursor.conf to accept replies only from explicitly whitelisted IP addresses, which raises the bar for crafting malicious replies by requiring network proximity or BGP hijacking. This mitigation has minimal side effects if properly scoped but does not eliminate risk if an authorized upstream is compromised. Refer to the vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for detailed patching instructions.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-33262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy