{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33259", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.573Z", "datePublished": "2026-04-22T09:38:51.991Z", "dateUpdated": "2026-04-22T18:10:14.046Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:38:51.991Z"}, "title": "Concurrent modification of RPZ data can lead to denial of servce", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use After Free", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["RPZ"], "programFiles": ["filterpo.hh"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H"}}], "credits": [{"lang": "en", "value": "Haruto Kimura (Stella)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:52:55.860673Z", "id": "CVE-2026-33259", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:10:14.046Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33259", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.573Z", "datePublished": "2026-04-22T09:38:51.991Z", "dateUpdated": "2026-04-22T18:10:14.046Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:38:51.991Z"}, "title": "Concurrent modification of RPZ data can lead to denial of servce", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Use After Free", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["RPZ"], "programFiles": ["filterpo.hh"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H"}}], "credits": [{"lang": "en", "value": "Haruto Kimura (Stella)", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33259", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:52:55.860673Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:04:15.479Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EBDA7C62-FAD4-470C-A6FE-4CF19B0BD4AD", "versionEndExcluding": "5.2.9", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F7AC884-348F-47B1-8853-49BFEDBEA9EA", "versionEndExcluding": "5.3.6", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:5.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B201BAD-5A74-45E9-91FD-5E950BA18BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider."}], "id": "CVE-2026-33259", "lastModified": "2026-04-27T17:03:35.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 4.2, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-04-22T10:16:51.580", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory", "Broken Link"], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.4.0,5.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.2.0,5.2.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Recursor", "source": "cna", "vendor": "PowerDNS"}, "product": "recursor", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-22T11:22:19.295104+00:00", "value": {"mitigation_remediation": ["Update PowerDNS Recursor to the latest release that contains the RPZ race condition fix referenced in the advisory.", "Configure RPZ zone transfers to use authenticated, trusted providers and enforce integrity checks to prevent malicious or duplicated updates.", "If the recursor is in a high\u2011availability environment, restart the service after any RPZ configuration change to ensure the internal state is clean."], "summary": {"action": "Apply Patch", "impact": "Denial of Service due to Recursor crash"}, "threat_synthesis": {"affected_systems": "All versions of PowerDNS Recursor that have not applied the fix referenced in the PowerDNS advisory are affected. The exact version range is not specified, so any unsupported or older release should be considered vulnerable until the patch is applied.", "description_and_impact": "A race condition in PowerDNS Recursor allows concurrent transfers of the same RPZ zone to corrupt internal data structures, resulting in use\u2011after\u2011free errors that cause the recursor process to crash. The vulnerability can lead to availability loss but does not provide direct access to data or control of the system.", "risk_and_exploitability": "The CVSS score of 5.0 classifies this as a moderate severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker who can influence or impersonate an RPZ provider to cause concurrent RPZ zone transfers, which is less common but still possible if communications are not authenticated or validated."}}}}, "created": "2026-04-22T11:30:15.370445+00:00", "updated": "2026-04-22T11:47:51.801383+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$recursor"], "weaknesses": ["CWE-416", "CWE-362"]}