Skip to main content

PowerDNS Recursor CVE-2026-40012

| EUVDEUVD-2026-39356 MEDIUM
Use of Cache Containing Sensitive Information (CWE-524)
2026-06-25 OX GHSA-fmvv-f47m-6c7p
5.3
CVSS 3.1 · Vendor: OX
Share

Severity by source

Vendor (OX) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable DNS service, no credentials needed once ECS is enabled, only partial client subnet data disclosed with no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (OX).

CVSS VectorVendor: OX

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 15:17 EUVD
Analysis Generated
Jun 25, 2026 - 14:16 vuln.today

DescriptionCVE.org

ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;

AnalysisAI

Improper packet cache handling in PowerDNS Recursor causes ECS zero-scoped DNS answers to be stored in the cache when they should be discarded or handled as global entries, creating an information disclosure pathway. All Recursor versions (cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*) are affected, but only deployments with EDNS Client Subnet (ECS) explicitly enabled are exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send DNS query to ECS-enabled Recursor
Delivery
Recursor forwards query with ECS option to authoritative
Exploit
Authoritative returns zero-scoped ECS answer
Execution
Recursor improperly stores answer in packet cache with ECS metadata
Persist
Attacker queries cache via crafted lookup
Impact
Cached response reveals prior client ECS scope data

Vulnerability AssessmentAI

Exploitation ECS (EDNS Client Subnet) must be explicitly enabled in the PowerDNS Recursor configuration - this is not the default deployment state, meaning the majority of Recursor installations are unaffected by default. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N accurately reflects a remotely triggerable, unauthenticated information disclosure with limited confidentiality impact and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a series of DNS queries through an ECS-enabled PowerDNS Recursor - potentially from multiple source IP addresses representing different client subnets - and crafts queries for domains whose authoritative servers return zero-scoped ECS answers. Because the Recursor improperly stores these answers in the packet cache with ECS scope metadata, a subsequent query from a different client subnet may receive a cached response that exposes the ECS scope from a prior query, leaking partial subnet information about previous querying clients. …
Remediation Consult the PowerDNS security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html for the specific patched Recursor release version - a vendor advisory exists but the input data does not supply an exact fix version, so the precise upgrade target cannot be independently confirmed here and should be taken directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-3807 CRITICAL
9.8 Jan 29

An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of response

CVE-2020-10030 HIGH
8.8 May 19

An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulne

CVE-2025-59023 HIGH
8.2 Feb 09

Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]

CVE-2019-3806 HIGH
8.1 Jan 29

An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2023-22617 HIGH
7.5 Jan 21

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS

CVE-2022-27227 HIGH
7.5 Mar 25

In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4

CVE-2020-25829 HIGH
7.5 Oct 16

An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high sever

CVE-2020-10995 HIGH
7.5 May 19

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated

CVE-2020-12244 HIGH
7.5 May 19

An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN respo

CVE-2018-16855 HIGH
7.5 Dec 03

An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigge

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-40012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy