Description
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
Published: 2026-06-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious authoritative server can send a crafted zone via the ZoneToCache function in PowerDNS Recursor, causing the recursor to cache incorrect DNS records. This leads to cache poisoning, potentially redirecting client queries to attacker‑controlled IP addresses, enabling traffic interception, phishing attempts, or denial‑of‑service events. The underlying weakness is improper validation of zone data, consistent with CWE‑349.

Affected Systems

The affected product is PowerDNS Recursor. No specific version information is disclosed in the advisory, so any installation that has not yet applied the vendor’s patch remains at risk. Administrators should identify the running recursor version and determine whether the fix has been applied.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is deemed high severity. No EPSS score is available and it is not listed in the CISA KEV catalog, suggesting uncertainty about current exploitation activity. The likely attack path involves a compromised authoritative zone server that can be reached by the Recursor, allowing the attacker to inject a crafted zone and poison the cache. The recursor must process the zone, so the attacker needs network access to send zone data to the recursor but does not require direct access to the Recursor itself.

Generated by OpenCVE AI on June 25, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PowerDNS Recursor to the latest version that includes the zone cache poisoning fix.
  • Disable the ZoneToCache function or restrict its usage to trusted zones to prevent unauthorized zone injection.
  • Monitor DNS query responses and logs for unexpected changes, and apply network‑level filtering to block unwanted zone transfers.

Generated by OpenCVE AI on June 25, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6369-1 pdns-recursor security update
History

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1294

Thu, 25 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1294

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-349
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Description A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
Title ZoneToCache can poison the cache
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L'}


Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T13:35:27.649Z

Reserved: 2026-03-23T12:58:38.267Z

Link: CVE-2026-33612

cve-icon Vulnrichment

Updated: 2026-06-25T13:35:14.277Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses
  • CWE-349

    Acceptance of Extraneous Untrusted Data With Trusted Data