Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
AnalysisAI
Denial of service in PowerDNS Recursor occurs when processing a malicious Response Policy Zone (RPZ) from an authoritative server, triggering a null pointer dereference due to missing validation logic. Versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 are affected. An authenticated remote attacker controlling an authoritative nameserver can crash the Recursor service by sending a specially crafted RPZ response, requiring high privilege level (PR:H) and complex attack conditions (AC:H) as mitigating factors.
Technical ContextAI
PowerDNS Recursor is a caching DNS resolver that processes DNS responses and policies. Response Policy Zones (RPZs) are a BIND-compatible mechanism for applying dynamic DNS policies by querying a special zone served by an authoritative server. The vulnerability stems from insufficient validation when parsing RPZ data received from authoritative servers-specifically, a missing consistency check that should prevent null pointer construction. The null dereference occurs during RPZ processing, causing an unhandled exception that terminates the Recursor process. CWE classification is not provided, but the root cause aligns with CWE-476 (Null Pointer Dereference) and CWE-252 (Unchecked Return Value).
RemediationAI
Upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, or 5.4.1 depending on your current branch-these releases include the null pointer consistency check fix. For environments unable to patch immediately, disable RPZ functionality if operationally feasible by removing RPZ zone definitions from the Recursor configuration file (typically recursor.conf) and restarting the service; this eliminates the attack surface at the cost of losing dynamic policy enforcement. Alternatively, restrict queries to RPZ zones from trusted authoritative servers only by implementing network-level access controls (firewall rules limiting outbound DNS queries to known-good RPZ providers) and validating TSIG signatures if the authoritative server supports authenticated RPZ delivery. Consult the PowerDNS security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for version-specific guidance and confirmation of patch applicability.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24731