Skip to main content

PowerDNS Recursor EUVDEUVD-2026-24727

| CVE-2026-33261 MEDIUM
Missing Support for Integrity Check (CWE-353)
2026-04-22 security@open-xchange.com GHSA-rq6v-8q98-rrj8
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 17:03 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:10 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:22 euvd
EUVD-2026-24727
Analysis Generated
Apr 22, 2026 - 10:22 vuln.today
CVE Published
Apr 22, 2026 - 10:16 nvd
MEDIUM 5.9

DescriptionCVE.org

A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.

AnalysisAI

PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.

Technical ContextAI

This vulnerability affects the DNSSEC validation logic in PowerDNS Recursor, specifically the handling of zone transitions between NSEC (Next Secure) and NSEC3 (Next Secure version 3) record types used for authenticated denial of existence in DNSSEC. NSEC and NSEC3 are cryptographic proof mechanisms that serve different operational purposes: NSEC provides enumeration-proof via chain-of-command records, while NSEC3 provides hashed proofs to prevent zone enumeration. When a zone changes from one type to the other during resolution, the recursor's internal state management fails to properly reconcile the differing record formats, leading to an internal inconsistency condition. This is a network-accessible DNSSEC parsing issue (CWE category: improper validation or state management in cryptographic protocol handling).

RemediationAI

Apply vendor-released patches immediately: upgrade PowerDNS Recursor 5.2.x systems to 5.2.9 or later, 5.3.x systems to 5.3.6 or later, and 5.4.x systems to 5.4.1 or later. Patches are available from the vendor at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html. During patch deployment, monitor resolver logs for DNSSEC processing errors or elevated query failures, which may indicate exploitation attempts or zone transition conditions. If immediate patching is not feasible, implement network-level controls to restrict recursive queries to trusted clients and monitor for sudden resolver unavailability coinciding with large DNSSEC query volumes; however, these mitigations do not address the root cause and should only be temporary measures pending patch deployment. No workarounds or feature disablement options are documented; patching is the only supported remediation.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy