Description
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
Published: 2026-04-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A crafted domain zone can be published and then queried to trigger the allocation of large entries in the negative and aggressive NSEC(3) caches of a PowerDNS Recursor. The resulting memory consumption and potential slowdown constitute a denial‑of‑service condition, as the resolver may become memory‑bound or significantly slower to respond to legitimate queries. The weakness is a failure to bound cache resource usage, corresponding to the uncontrolled resource consumption category.

Affected Systems

The vulnerability affects PowerDNS Recursor deployments. No specific version range is listed, so any installation of the recursor that has not applied an update that addresses the issue is potentially impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is not available for this entry. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it by creating an adversarial zone and making the recursor resolve it, which is a remote achievable scenario given that DNS lookups are typically performed over the network. Successful exploitation would cause resource exhaustion, leading to degraded service or outage of the DNS resolver.

Generated by OpenCVE AI on April 22, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PowerDNS Recursor to the latest release that contains the fix for this issue.
  • Configure the recursor to limit the size of negative or NSEC(3) cache entries, either by setting a hard cap or by adjusting cache time‑to‑live values.
  • Restrict recursive lookups from untrusted zones or enforce query rate limiting to reduce the impact of malicious requests.

Generated by OpenCVE AI on April 22, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
Title Crafted zones can cause increased resource usage
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:10:21.762Z

Reserved: 2026-03-18T10:06:16.572Z

Link: CVE-2026-33258

cve-icon Vulnrichment

Updated: 2026-04-22T18:03:59.267Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T10:16:51.460

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses