Description
Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
Published: 2026-02-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service / Cache Poisoning
Action: Assess Impact
AI Analysis

Impact

The vulnerability permits an attacker to supply DNS zones with specially crafted records, including CNAME chains, that cause the Recursor to consume a significant amount of memory and CPU, or to store incorrect information in its cache, leading to denial of service or cache poisoning. This is a CWE‑770 type flaw where excessive resource consumption can be triggered by user input.

Affected Systems

All installations of PowerDNS Recursor are potentially vulnerable. The CVE lists the product but does not specify affected releases, so any deployment of Recursor could be impacted.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate risk, and the EPSS score of less than 1 % indicates a very low exploitation probability at the time of analysis. The issue is not in the CISA KEV catalog. The attack can be performed over the network by an adversary who can direct the Recursor to resolve zones under their control, exploiting the Recursor’s handling of zone data. No specific prerequisites other than the ability to query the Recursor are required.

Generated by OpenCVE AI on April 17, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the PowerDNS website or documentation for a security patch or newer release that addresses the resource‑consumption and cache‑poisoning issue and upgrade accordingly.
  • Configure Recursor to limit recursion depth, set a maximum recursion quota, and apply request rate limiting to reduce the impact of excessive resource usage by malicious zones.
  • Enable DNSSEC validation in Recursor to help verify the authenticity of returned records and mitigate cache poisoning, and consider using a DNS firewall or filtering rules to block queries for zones that appear suspicious.

Generated by OpenCVE AI on April 17, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6134-1 pdns-recursor security update
History

Mon, 20 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Mon, 09 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.
Title Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-02-09T15:37:04.885Z

Reserved: 2025-11-28T09:18:07.874Z

Link: CVE-2026-0398

cve-icon Vulnrichment

Updated: 2026-02-09T15:37:00.577Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T15:16:11.360

Modified: 2026-04-20T14:55:46.507

Link: CVE-2026-0398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses