Skip to main content

PowerDNS Recursor CVE-2026-33601

| EUVDEUVD-2026-24733 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 security@open-xchange.com
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 16:58 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:10 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24733
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 4.4

DescriptionCVE.org

If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

AnalysisAI

Denial of service in PowerDNS Recursor via null pointer dereference in the zoneToCache function when processing zone data from a malicious authoritative server. Affects Recursor 5.2.0 through 5.4.0 and requires high privileges and non-standard network conditions to exploit, resulting in service availability impact but not data compromise. Patch available from vendor.

Technical ContextAI

PowerDNS Recursor is a DNS recursive resolver that caches zone data using the zoneToCache function. The vulnerability exists in this zone caching mechanism, which processes authoritative zone responses from upstream DNS servers. The root cause is a missing consistency check in the zone data validation logic before dereferencing pointers, allowing a crafted zone response to trigger a null pointer dereference. This affects the DNS resolver's core query resolution pathway when zone caching is in use. The vulnerability requires interaction with a malicious authoritative server, meaning the attacker must control or intercept responses from an upstream DNS authority that the Recursor queries.

RemediationAI

Upgrade to patched versions immediately: Recursor 5.2.9 or later, Recursor 5.3.6 or later, or Recursor 5.4.1 or later. Consult vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for exact patch availability and release dates. As a compensating control, restrict the Recursor's upstream authoritative server list to trusted, internally-controlled nameservers only, reducing exposure to malicious zone responses. Configure firewall rules to prevent the Recursor from accepting DNS responses from external or untrusted networks. Monitor Recursor process availability and implement alerting for unexpected restarts or service interruptions that may indicate exploitation attempts. Note that these controls mitigate risk but do not eliminate the vulnerability; patching is the primary remediation.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-33601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy