Description
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
Published: 2026-04-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Recursor
AI Analysis

Impact

The vulnerability is a null pointer access triggered during the transition of a DNS zone from NSEC to NSEC3, causing an internal inconsistency that leads to the PowerDNS Recursor crashing. This crash interrupts DNS resolution for clients that query the affected zone, resulting in a denial of service. The weakness is reflected in CWE‑353 (Race Condition).

Affected Systems

The issue affects PowerDNS Recursor, specifically the 5.4.0 release as identified by the advisory. Any deployment of this version, regardless of operating system or deployment method, is potentially vulnerable. Earlier or later releases may not contain the flaw.

Risk and Exploitability

The CVSS base score of 5.9 indicates a medium severity. The vulnerability is triggered by a zone transition from NSEC to NSEC3, which may occur during zone data updates or reconfiguration. No explicit exploitation method is documented; the crash occurs only when the transition happens. The EPSS score is <1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation is not currently observed. Based on the description, it is inferred that an actor who can induce the zone transition—such as a misconfigured zone author or a malicious zone transfer—could trigger repeated crashes.

Generated by OpenCVE AI on April 29, 2026 at 00:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest PowerDNS Recursor release that includes the patch for the NSEC to NSEC3 transition issue.
  • Monitor recursor logs for crashes that occur after zone transitions, and temporarily block zone updates until the patch is applied.
  • If an upgrade cannot be performed immediately, refrain from performing zone transitions from NSEC to NSEC3 until the vulnerability is addressed, or consider using a stable zone configuration that avoids the transition until a fix is available.

Generated by OpenCVE AI on April 29, 2026 at 00:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6234-1 pdns-recursor security update
History

Tue, 28 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*
cpe:2.3:a:powerdns:recursor:5.4.0:*:*:*:*:*:*:*

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-353
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
Title Null pointer accces in aggressive NSEC(3) cache
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:09:53.895Z

Reserved: 2026-03-18T10:06:16.573Z

Link: CVE-2026-33261

cve-icon Vulnrichment

Updated: 2026-04-22T18:07:39.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T10:16:51.857

Modified: 2026-04-27T17:03:09.103

Link: CVE-2026-33261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses