Skip to main content

PowerDNS Authoritative EUVDEUVD-2026-24945

| CVE-2026-33608 HIGH
Code Injection (CWE-94)
2026-04-22 security@open-xchange.com GHSA-q6jm-wh7h-j4g3
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 18:52 nvd
Patch available
Patch available
Apr 22, 2026 - 16:33 EUVD
Re-analysis Queued
Apr 22, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 14:22 euvd
EUVD-2026-24945
Analysis Generated
Apr 22, 2026 - 14:22 vuln.today
CVE Published
Apr 22, 2026 - 14:16 nvd
HIGH 7.4

DescriptionCVE.org

An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.

AnalysisAI

Remote attackers can corrupt PowerDNS Authoritative Server configuration via specially crafted DNS NOTIFY requests, causing persistent denial of service requiring manual administrator intervention. The attack adds malformed secondary domains to the bind backend, rendering the configuration invalid and preventing the server from restarting. No active exploitation confirmed at time of analysis, but the network-accessible attack vector and lack of authentication requirements elevate risk for internet-facing authoritative DNS servers.

Technical ContextAI

PowerDNS Authoritative Server uses modular backends for zone storage and management. The bind backend emulates BIND's zone file behavior and maintains its own configuration file tracking zone definitions. DNS NOTIFY (RFC 1996) is a mechanism where primary nameservers signal zone updates to secondaries. This vulnerability exploits the bind backend's NOTIFY request handling logic, which processes inbound notifications to dynamically add secondary zones. The flaw allows injection of malformed zone definitions that pass initial validation but create syntactically invalid backend configuration, corrupting the persistent state. The CWE classification is not provided, but the behavior aligns with improper input validation (CWE-20) combined with improper handling of exceptional conditions (CWE-755), where the backend fails to validate configuration integrity before committing changes to persistent storage.

RemediationAI

Consult the official PowerDNS security advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-05.html for vendor-confirmed patch versions and upgrade instructions. Primary mitigation is upgrading PowerDNS Authoritative Server to the patched release specified in the advisory. For environments unable to immediately patch, implement compensating controls by restricting NOTIFY request sources using allow-notify-from directives to permit only trusted primary nameservers, effectively blocking untrusted attackers from triggering the vulnerability. This configuration change provides effective protection but requires maintaining accurate ACLs as DNS infrastructure evolves. Alternatively, if bind backend functionality is not operationally required, migrate zone data to alternative backends (such as generic SQL backends) which are not affected by this configuration corruption flaw. After any exploitation incident, manual recovery involves identifying corrupted zone definitions in the bind backend configuration file, removing malformed entries, and validating configuration syntax before service restart.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-24945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy