Skip to main content

PowerDNS Recursor EUVDEUVD-2026-24721

| CVE-2026-33258 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-22 security@open-xchange.com GHSA-mfmv-pg93-65w5
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:03 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24721
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.3

DescriptionCVE.org

By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.

AnalysisAI

Denial of service in PowerDNS Recursor allows remote unauthenticated attackers to exhaust resolver memory by publishing and querying crafted DNS zones that trigger excessive allocation in the negative and aggressive NSEC(3) caches. The vulnerability affects Recursor versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0, with a CVSS score of 5.3 reflecting low severity due to availability impact only (no code execution or data breach). Vendor-released patches are available.

Technical ContextAI

PowerDNS Recursor is a recursive DNS resolver that caches negative (NXDOMAIN, NODATA) and aggressive NSEC(3) denial-of-existence proofs to optimize query performance and reduce upstream traffic. The vulnerability lies in the caching logic for NSEC and NSEC3 records-specifically, the resolver does not properly limit the size or quantity of cache entries created in response to crafted zone queries. An attacker can craft DNS responses or publish malicious zones that cause the resolver to allocate disproportionately large memory structures in these caches, eventually exhausting available heap memory and triggering a denial of service. The root cause involves insufficient bounds checking on cache allocation for negative/aggressive proof records, allowing an unbounded growth attack vector over the DNS protocol (UDP/TCP port 53).

RemediationAI

Upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, 5.4.1, or later as applicable to your deployment. Check the vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for patch availability and release dates. If immediate patching is not feasible, implement rate limiting on DNS queries per client IP (e.g., using firewall or resolver-level rules) to limit the number of crafted zone queries an attacker can inject, reducing cache pollution impact. Additionally, consider restricting recursive resolution to trusted clients or networks via access control lists (ACLs) in the Recursor configuration; this limits exposure to external attackers but may impact legitimate recursive clients. Monitor resolver memory usage and cache statistics (via PowerDNS API or logs) for abnormal growth in NSEC/NSEC3 cache entries, which would indicate active exploitation attempts. Note that rate limiting may introduce latency for legitimate high-volume DNS consumers, and ACL restrictions reduce resolver utility for open recursive scenarios.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy