Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
AnalysisAI
Denial of service in PowerDNS Recursor via null pointer dereference in the zoneToCache function when processing zone data from a malicious authoritative server. Affects Recursor 5.2.0 through 5.4.0 and requires high privileges and non-standard network conditions to exploit, resulting in service availability impact but not data compromise. Patch available from vendor.
Technical ContextAI
PowerDNS Recursor is a DNS recursive resolver that caches zone data using the zoneToCache function. The vulnerability exists in this zone caching mechanism, which processes authoritative zone responses from upstream DNS servers. The root cause is a missing consistency check in the zone data validation logic before dereferencing pointers, allowing a crafted zone response to trigger a null pointer dereference. This affects the DNS resolver's core query resolution pathway when zone caching is in use. The vulnerability requires interaction with a malicious authoritative server, meaning the attacker must control or intercept responses from an upstream DNS authority that the Recursor queries.
RemediationAI
Upgrade to patched versions immediately: Recursor 5.2.9 or later, Recursor 5.3.6 or later, or Recursor 5.4.1 or later. Consult vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for exact patch availability and release dates. As a compensating control, restrict the Recursor's upstream authoritative server list to trusted, internally-controlled nameservers only, reducing exposure to malicious zone responses. Configure firewall rules to prevent the Recursor from accepting DNS responses from external or untrusted networks. Monitor Recursor process availability and implement alerting for unexpected restarts or service interruptions that may indicate exploitation attempts. Note that these controls mitigate risk but do not eliminate the vulnerability; patching is the primary remediation.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24733