{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0398", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2025-11-28T09:18:07.874Z", "datePublished": "2026-02-09T14:20:46.592Z", "dateUpdated": "2026-02-09T15:37:04.885Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected", "modules": ["Synchronous Resolver"], "packageName": "pdns-recursor", "product": "Recursor", "programFiles": ["syncres.cc"], "repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "versions": [{"lessThan": "5.3.5", "status": "affected", "version": "5.3.0", "versionType": "semver"}, {"lessThan": "5.2.8", "status": "affected", "version": "5.2.0", "versionType": "semver"}, {"lessThan": "5.1.10", "status": "affected", "version": "5.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Yufan You from Tsinghua University"}, {"lang": "en", "type": "finder", "value": "TaoFei Guo from Peking University"}, {"lang": "en", "type": "finder", "value": "Yang Luo from Tsinghua University"}, {"lang": "en", "type": "finder", "value": "JianJun Chen from Tsinghua University"}], "datePublic": "2026-02-09T13:47:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.</p>"}], "value": "Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-02-09T14:20:46.592Z"}, "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"}], "source": {"advisory": "PowerDNS Security Advisory 2026-01", "discovery": "EXTERNAL"}, "title": "Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-09T15:36:48.242785Z", "id": "CVE-2026-0398", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:37:04.885Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0398", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-09T15:36:48.242785Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-09T15:37:00.577Z"}}], "cna": {"title": "Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor", "source": {"advisory": "PowerDNS Security Advisory 2026-01", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Yufan You from Tsinghua University"}, {"lang": "en", "type": "finder", "value": "TaoFei Guo from Peking University"}, {"lang": "en", "type": "finder", "value": "Yang Luo from Tsinghua University"}, {"lang": "en", "type": "finder", "value": "JianJun Chen from Tsinghua University"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/PowerDNS/pdns", "vendor": "PowerDNS", "modules": ["Synchronous Resolver"], "product": "Recursor", "versions": [{"status": "affected", "version": "5.3.0", "lessThan": "5.3.5", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.8", "versionType": "semver"}, {"status": "affected", "version": "5.1.0", "lessThan": "5.1.10", "versionType": "semver"}], "packageName": "pdns-recursor", "programFiles": ["syncres.cc"], "collectionURL": "https://repo.powerdns.com/", "defaultStatus": "unaffected"}], "datePublic": "2026-02-09T13:47:00.000Z", "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.", "supportingMedia": [{"type": "text/html", "value": "<p>Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-02-09T14:20:46.592Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0398", "state": "PUBLISHED", "dateUpdated": "2026-02-09T15:37:04.885Z", "dateReserved": "2025-11-28T09:18:07.874Z", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "datePublished": "2026-02-09T14:20:46.592Z", "assignerShortName": "OX"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "BCD53D74-E38B-4113-A5FD-880E7EA4EFA3", "versionEndExcluding": "5.1.10", "versionStartIncluding": "5.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "707F72F2-1B2F-4DFA-8421-DBDF47980A36", "versionEndExcluding": "5.2.8", "versionStartIncluding": "5.2.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE3FB5B9-EB60-473D-9C9D-39787C08BA1B", "versionEndExcluding": "5.3.5", "versionStartIncluding": "5.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor."}, {"lang": "es", "value": "Zonas manipuladas pueden llevar a un mayor uso de recursos y cadenas CNAME manipuladas pueden llevar a envenenamiento de cach\u00e9 en Recursor."}], "id": "CVE-2026-0398", "lastModified": "2026-04-20T14:55:46.507", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-02-09T15:16:11.360", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory"], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-01.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.2.0,5.2.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.1.0,5.1.10)"}}], "product": "recursor", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-17T21:26:31.181891+00:00", "value": {"mitigation_remediation": ["Check the PowerDNS website or documentation for a security patch or newer release that addresses the resource\u2011consumption and cache\u2011poisoning issue and upgrade accordingly.", "Configure Recursor to limit recursion depth, set a maximum recursion quota, and apply request rate limiting to reduce the impact of excessive resource usage by malicious zones.", "Enable DNSSEC validation in Recursor to help verify the authenticity of returned records and mitigate cache poisoning, and consider using a DNS firewall or filtering rules to block queries for zones that appear suspicious."], "summary": {"action": "Assess Impact", "impact": "Denial of Service / Cache Poisoning"}, "threat_synthesis": {"affected_systems": "All installations of PowerDNS Recursor are potentially vulnerable. The CVE lists the product but does not specify affected releases, so any deployment of Recursor could be impacted.", "description_and_impact": "The vulnerability permits an attacker to supply DNS zones with specially crafted records, including CNAME chains, that cause the Recursor to consume a significant amount of memory and CPU, or to store incorrect information in its cache, leading to denial of service or cache poisoning. This is a CWE\u2011770 type flaw where excessive resource consumption can be triggered by user input.", "risk_and_exploitability": "The CVSS score of 5.3 reflects a moderate risk, and the EPSS score of less than 1\u202f% indicates a very low exploitation probability at the time of analysis. The issue is not in the CISA KEV catalog. The attack can be performed over the network by an adversary who can direct the Recursor to resolve zones under their control, exploiting the Recursor\u2019s handling of zone data. No specific prerequisites other than the ability to query the Recursor are required."}}}}, "created": "2026-02-10T11:35:32.753413+00:00", "updated": "2026-04-17T21:30:28.391412+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$recursor"]}