Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
AnalysisAI
PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.
Technical ContextAI
This vulnerability affects the DNSSEC validation logic in PowerDNS Recursor, specifically the handling of zone transitions between NSEC (Next Secure) and NSEC3 (Next Secure version 3) record types used for authenticated denial of existence in DNSSEC. NSEC and NSEC3 are cryptographic proof mechanisms that serve different operational purposes: NSEC provides enumeration-proof via chain-of-command records, while NSEC3 provides hashed proofs to prevent zone enumeration. When a zone changes from one type to the other during resolution, the recursor's internal state management fails to properly reconcile the differing record formats, leading to an internal inconsistency condition. This is a network-accessible DNSSEC parsing issue (CWE category: improper validation or state management in cryptographic protocol handling).
RemediationAI
Apply vendor-released patches immediately: upgrade PowerDNS Recursor 5.2.x systems to 5.2.9 or later, 5.3.x systems to 5.3.6 or later, and 5.4.x systems to 5.4.1 or later. Patches are available from the vendor at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html. During patch deployment, monitor resolver logs for DNSSEC processing errors or elevated query failures, which may indicate exploitation attempts or zone transition conditions. If immediate patching is not feasible, implement network-level controls to restrict recursive queries to trusted clients and monitor for sudden resolver unavailability coinciding with large DNSSEC query volumes; however, these mitigations do not address the root cause and should only be temporary measures pending patch deployment. No workarounds or feature disablement options are documented; patching is the only supported remediation.
Same weakness CWE-353 – Missing Support for Integrity Check
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24727
GHSA-rq6v-8q98-rrj8