Skip to main content

PowerDNS Recursor EUVDEUVD-2026-24731

| CVE-2026-33600 MEDIUM
NULL Pointer Dereference (CWE-476)
2026-04-22 OX
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 16:59 nvd
Patch available
Analysis Generated
Apr 22, 2026 - 13:09 vuln.today
Patch available
Apr 22, 2026 - 11:16 EUVD
EUVD ID Assigned
Apr 22, 2026 - 10:00 euvd
EUVD-2026-24731
Analysis Generated
Apr 22, 2026 - 10:00 vuln.today
CVE Published
Apr 22, 2026 - 09:33 nvd
MEDIUM 4.4

DescriptionCVE.org

An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.

AnalysisAI

Denial of service in PowerDNS Recursor occurs when processing a malicious Response Policy Zone (RPZ) from an authoritative server, triggering a null pointer dereference due to missing validation logic. Versions 5.2.0-5.2.8, 5.3.0-5.3.5, and 5.4.0 are affected. An authenticated remote attacker controlling an authoritative nameserver can crash the Recursor service by sending a specially crafted RPZ response, requiring high privilege level (PR:H) and complex attack conditions (AC:H) as mitigating factors.

Technical ContextAI

PowerDNS Recursor is a caching DNS resolver that processes DNS responses and policies. Response Policy Zones (RPZs) are a BIND-compatible mechanism for applying dynamic DNS policies by querying a special zone served by an authoritative server. The vulnerability stems from insufficient validation when parsing RPZ data received from authoritative servers-specifically, a missing consistency check that should prevent null pointer construction. The null dereference occurs during RPZ processing, causing an unhandled exception that terminates the Recursor process. CWE classification is not provided, but the root cause aligns with CWE-476 (Null Pointer Dereference) and CWE-252 (Unchecked Return Value).

RemediationAI

Upgrade PowerDNS Recursor to version 5.2.9, 5.3.6, or 5.4.1 depending on your current branch-these releases include the null pointer consistency check fix. For environments unable to patch immediately, disable RPZ functionality if operationally feasible by removing RPZ zone definitions from the Recursor configuration file (typically recursor.conf) and restarting the service; this eliminates the attack surface at the cost of losing dynamic policy enforcement. Alternatively, restrict queries to RPZ zones from trusted authoritative servers only by implementing network-level access controls (firewall rules limiting outbound DNS queries to known-good RPZ providers) and validating TSIG signatures if the authoritative server supports authenticated RPZ delivery. Consult the PowerDNS security advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html for version-specific guidance and confirmation of patch applicability.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-24731 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy