This page lists publicly disclosed CVE vulnerabilities affecting powerdns recursor (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-33601 | If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. | [email protected] | 4.4 | 0.02% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33600 | An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. | [email protected] | 4.4 | 0.02% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33262 | An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default. | [email protected] | 5.9 | 0.02% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33261 | A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. | [email protected] | 5.9 | 0.02% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33260 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. | [email protected] | 5.3 | 0.01% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33259 | Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider. | [email protected] | 5.0 | 0.01% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33258 | By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches. | [email protected] | 5.3 | 0.01% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33257 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. | [email protected] | 5.3 | 0.01% | 2026-04-22 | 2026-04-27 |
| CVE-2026-33256 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. | [email protected] | 5.3 | 0.01% | 2026-04-22 | 2026-04-27 |
| CVE-2026-24027 | Crafted zones can lead to increased incoming network traffic. | [email protected] | 5.3 | 0.01% | 2026-02-09 | 2026-04-20 |
| CVE-2026-0398 | Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor. | [email protected] | 5.3 | 0.01% | 2026-02-09 | 2026-04-20 |
| CVE-2025-59024 | Crafted delegations or IP fragments can poison cached delegations in Recursor. | [email protected] | 6.5 | 0.01% | 2026-02-09 | 2026-04-20 |
| CVE-2025-59023 | Crafted delegations or IP fragments can poison cached delegations in Recursor. | [email protected] | 8.2 | 0.01% | 2026-02-09 | 2026-04-20 |
| CVE-2025-59030 | An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP. | [email protected] | 7.5 | 0.08% | 2025-12-09 | 2026-02-19 |
| CVE-2025-59029 | An attacker can trigger an assertion failure by requesting crafted DNS records, waiting for them to be inserted into the records cache, then send a query with qtype set to ANY. | [email protected] | 5.3 | 0.01% | 2025-12-09 | 2026-02-19 |
| CVE-2023-50868 | The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. | [email protected] | 7.5 | 12.42% | 2024-02-14 | 2025-12-23 |
| CVE-2023-50387 | Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. | [email protected] | 7.5 | 43.70% | 2024-02-14 | 2025-11-04 |
| CVE-2023-26437 | Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3. | [email protected] | 3.4 | 0.02% | 2023-04-04 | 2025-02-13 |
| CVE-2023-22617 | A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fallback mode. This is fixed in 4.8.1. | [email protected] | 7.5 | 1.06% | 2023-01-21 | 2025-04-03 |
| CVE-2022-37428 | PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties. | [email protected] | 6.5 | 0.05% | 2022-08-23 | 2024-11-21 |