Description
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
Published: 2026-04-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Recursor
AI Analysis

Impact

A configuration change that moves a DNS zone’s security mechanism from NSEC to NSEC3 can trigger an internal inconsistency in PowerDNS Recursor. The inconsistency causes the recursor to crash, interrupting DNS resolution for clients that query the affected zone, resulting in a denial of service.

Affected Systems

The vulnerability affects the PowerDNS Recursor component, regardless of the operating system or deployment method. No specific recursor version is listed in the advisory, so all deployments that have not applied a future patch should be considered potentially vulnerable.

Risk and Exploitability

The CVSS base score of 5.9 indicates a medium severity. The vulnerability is triggered by a zone transition from NSEC to NSEC3, which may occur during zone data updates or reconfiguration. No explicit exploitation method is documented; the crash occurs only when the transition happens. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation is not currently observed. Based on the description, it is inferred that an actor who can induce the zone transition—such as a misconfigured zone author or a malicious zone transfer—could trigger repeated crashes.

Generated by OpenCVE AI on April 22, 2026 at 13:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest PowerDNS Recursor release that includes the patch for the NSEC to NSEC3 transition issue.
  • Monitor recursor logs for crashes that occur after zone transitions, and temporarily block zone updates until the patch is applied.
  • If an upgrade cannot be performed immediately, refrain from performing zone transitions from NSEC to NSEC3 until the vulnerability is addressed, or consider using a stable zone configuration that avoids the transition until a fix is available.

Generated by OpenCVE AI on April 22, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-353
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
Title Null pointer accces in aggressive NSEC(3) cache
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:09:53.895Z

Reserved: 2026-03-18T10:06:16.573Z

Link: CVE-2026-33261

cve-icon Vulnrichment

Updated: 2026-04-22T18:07:39.344Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T10:16:51.857

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses