Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
7DescriptionCVE.org
An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.
AnalysisAI
Remote attackers can corrupt PowerDNS Authoritative Server configuration via specially crafted DNS NOTIFY requests, causing persistent denial of service requiring manual administrator intervention. The attack adds malformed secondary domains to the bind backend, rendering the configuration invalid and preventing the server from restarting. No active exploitation confirmed at time of analysis, but the network-accessible attack vector and lack of authentication requirements elevate risk for internet-facing authoritative DNS servers.
Technical ContextAI
PowerDNS Authoritative Server uses modular backends for zone storage and management. The bind backend emulates BIND's zone file behavior and maintains its own configuration file tracking zone definitions. DNS NOTIFY (RFC 1996) is a mechanism where primary nameservers signal zone updates to secondaries. This vulnerability exploits the bind backend's NOTIFY request handling logic, which processes inbound notifications to dynamically add secondary zones. The flaw allows injection of malformed zone definitions that pass initial validation but create syntactically invalid backend configuration, corrupting the persistent state. The CWE classification is not provided, but the behavior aligns with improper input validation (CWE-20) combined with improper handling of exceptional conditions (CWE-755), where the backend fails to validate configuration integrity before committing changes to persistent storage.
RemediationAI
Consult the official PowerDNS security advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html for vendor-confirmed patch versions and upgrade instructions. Primary mitigation is upgrading PowerDNS Authoritative Server to the patched release specified in the advisory. For environments unable to immediately patch, implement compensating controls by restricting NOTIFY request sources using allow-notify-from directives to permit only trusted primary nameservers, effectively blocking untrusted attackers from triggering the vulnerability. This configuration change provides effective protection but requires maintaining accurate ACLs as DNS infrastructure evolves. Alternatively, if bind backend functionality is not operationally required, migrate zone data to alternative backends (such as generic SQL backends) which are not affected by this configuration corruption flaw. After any exploitation incident, manual recovery involves identifying corrupted zone definitions in the bind backend configuration file, removing malformed entries, and validating configuration syntax before service restart.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24945
GHSA-q6jm-wh7h-j4g3