Description
If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
Published: 2026-04-22
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply patch
AI Analysis

Impact

A missing consistency check in the zoneToCache function allows an attacker to craft a malicious zone that causes a null pointer dereference in PowerDNS Recursor, resulting in an application crash and loss of service. The vulnerability directly lowers availability and can be triggered by delivering a specially crafted zone file to a recursor that otherwise accepts external zones for resolving queries. The primary weakness is lack of proper input validation before accessing internal data structures.

Affected Systems

This flaw affects the PowerDNS Recursor. No specific affected versions are listed in the advisory, so all releases that use the unpatched zoneToCache routine are potentially vulnerable until the vendor issues a fix.

Risk and Exploitability

The CVSS score is 4.4, indicating moderate severity. EPSS is not available, and the flaw is not yet listed in the CISA KEV catalog, showing it is not widely exploited yet. The likelihood of exploitation depends on an attacker’s ability to control an authoritative server or otherwise deliver a malicious zone to the recursor. If such conditions are met, the attacker can force the recursor to crash, causing a denial of service for users querying that recursor. The risk is mitigated by upgrading once a fix is released or by restricting zone sources.

Generated by OpenCVE AI on April 22, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerDNS Recursor to the version released in the advisory that contains the security fix.
  • Restrict the use of zoneToCache to trusted authoritative servers, or disable the function if it is not required for your deployment.
  • Implement monitoring of Recursor crash logs and configure automatic service restarts to restore availability more rapidly.

Generated by OpenCVE AI on April 22, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Weaknesses CWE-476
Vendors & Products Powerdns
Powerdns recursor

Wed, 22 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Description If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
Title Insufficient validation of zonemd record
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-04-22T18:10:44.494Z

Reserved: 2026-03-23T12:57:56.815Z

Link: CVE-2026-33601

cve-icon Vulnrichment

Updated: 2026-04-22T18:00:19.125Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T10:16:52.223

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-33601

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses