Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.
AnalysisAI
Denial of service in PowerDNS secondary servers occurs when a rogue primary server sends crafted DNS update requests that cause file descriptor exhaustion on the secondary, eventually rendering the secondary unable to process legitimate DNS queries. The attack requires network-level coordination between a compromised or attacker-controlled primary server and a target secondary server, with moderate attack complexity due to the need to establish a primary-secondary relationship. No active exploitation has been confirmed in CISA KEV at time of analysis.
Technical ContextAI
PowerDNS Authoritative runs DNS secondary servers that replicate zone data from primary servers via zone transfers and DNS update mechanisms (NOTIFY/AXFR). When a secondary processes a DNS update request (typically via NOTIFY protocol or DNS UPDATE messages), it may allocate file descriptors to handle the incoming data. A rogue primary can send malformed or excessive update requests that fail to properly release file descriptors, leading to resource exhaustion. This is a resource-starvation attack that exploits the secondary's trust relationship with its configured primary server, targeting the DNS update ingestion code path.
RemediationAI
Consult the PowerDNS advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html for the patched version and apply the vendor-released fix immediately to all secondary servers. In the interim, limit zone transfer relationships and DNS update sources to primary servers on trusted networks; restrict secondary servers' network access to primary servers to only necessary IP addresses and ports using firewall rules; monitor file descriptor usage on secondary servers using system tools (lsof, netstat) to detect exhaustion patterns; and implement rate limiting on NOTIFY/UPDATE message processing at the network perimeter if the DNS infrastructure allows. These compensating controls reduce attack surface but do not eliminate the vulnerability - patching is the authoritative remediation.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24949
GHSA-7rv6-r2fm-295c