Description
Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
Published: 2026-04-22
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service due to Recursor crash
Action: Apply Patch
AI Analysis

Impact

A race condition in PowerDNS Recursor allows concurrent transfers of the same RPZ zone to corrupt internal data structures, resulting in use‑after‑free errors that cause the recursor process to crash. The vulnerability can lead to availability loss but does not provide direct access to data or control of the system.

Affected Systems

All versions of PowerDNS Recursor that have not applied the fix referenced in the PowerDNS advisory are affected. The exact version range is not specified, so any unsupported or older release should be considered vulnerable until the patch is applied.

Risk and Exploitability

The CVSS score of 5.0 classifies this as a moderate severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can influence or impersonate an RPZ provider to cause concurrent RPZ zone transfers, which is less common but still possible if communications are not authenticated or validated.

Generated by OpenCVE AI on April 22, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PowerDNS Recursor to the latest release that contains the RPZ race condition fix referenced in the advisory.
  • Configure RPZ zone transfers to use authenticated, trusted providers and enforce integrity checks to prevent malicious or duplicated updates.
  • If the recursor is in a high‑availability environment, restart the service after any RPZ configuration change to ensure the internal state is clean.

Generated by OpenCVE AI on April 22, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
CWE-416

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
Title Concurrent modification of RPZ data can lead to denial of servce
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:10:14.046Z

Reserved: 2026-03-18T10:06:16.573Z

Link: CVE-2026-33259

cve-icon Vulnrichment

Updated: 2026-04-22T18:04:15.479Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T10:16:51.580

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:51Z

Weaknesses