{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33261", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.573Z", "datePublished": "2026-04-22T09:40:03.564Z", "dateUpdated": "2026-04-22T18:09:53.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:40:03.564Z"}, "title": "Null pointer accces in aggressive NSEC(3) cache", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Support for Integrity Check", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["Aggressive use of NSEC cache"], "programFiles": ["aggressive_nsec.cc"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "ylwango613", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-353", "lang": "en", "description": "CWE-353 Missing Support for Integrity Check"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:52:56.932119Z", "id": "CVE-2026-33261", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:09:53.895Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33261", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.573Z", "datePublished": "2026-04-22T09:40:03.564Z", "dateUpdated": "2026-04-22T18:09:53.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:40:03.564Z"}, "title": "Null pointer accces in aggressive NSEC(3) cache", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Support for Integrity Check", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["Aggressive use of NSEC cache"], "programFiles": ["aggressive_nsec.cc"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "ylwango613", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:52:56.932119Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-353", "description": "CWE-353 Missing Support for Integrity Check"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:07:39.344Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "EBDA7C62-FAD4-470C-A6FE-4CF19B0BD4AD", "versionEndExcluding": "5.2.9", "versionStartIncluding": "5.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "9F7AC884-348F-47B1-8853-49BFEDBEA9EA", "versionEndExcluding": "5.3.6", "versionStartIncluding": "5.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:powerdns:recursor:5.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "4B201BAD-5A74-45E9-91FD-5E950BA18BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service."}], "id": "CVE-2026-33261", "lastModified": "2026-04-27T17:03:09.103", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-04-22T10:16:51.857", "references": [{"source": "security@open-xchange.com", "tags": ["Vendor Advisory", "Broken Link"], "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-353"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.4.0,5.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.2.0,5.2.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Recursor", "source": "cna", "vendor": "PowerDNS"}, "product": "recursor", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-29T00:17:32.484080+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest PowerDNS Recursor release that includes the patch for the NSEC to NSEC3 transition issue.", "Monitor recursor logs for crashes that occur after zone transitions, and temporarily block zone updates until the patch is applied.", "If an upgrade cannot be performed immediately, refrain from performing zone transitions from NSEC to NSEC3 until the vulnerability is addressed, or consider using a stable zone configuration that avoids the transition until a fix is available."], "summary": {"action": "Patch Recursor", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue affects PowerDNS Recursor, specifically the 5.4.0 release as identified by the advisory. Any deployment of this version, regardless of operating system or deployment method, is potentially vulnerable. Earlier or later releases may not contain the flaw.", "description_and_impact": "The vulnerability is a null pointer access triggered during the transition of a DNS zone from NSEC to NSEC3, causing an internal inconsistency that leads to the PowerDNS Recursor crashing. This crash interrupts DNS resolution for clients that query the affected zone, resulting in a denial of service. The weakness is reflected in CWE\u2011353 (Race Condition).", "risk_and_exploitability": "The CVSS base score of 5.9 indicates a medium severity. The vulnerability is triggered by a zone transition from NSEC to NSEC3, which may occur during zone data updates or reconfiguration. No explicit exploitation method is documented; the crash occurs only when the transition happens. The EPSS score is <1%, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation is not currently observed. Based on the description, it is inferred that an actor who can induce the zone transition\u2014such as a misconfigured zone author or a malicious zone transfer\u2014could trigger repeated crashes."}}}}, "created": "2026-04-22T11:30:15.169076+00:00", "updated": "2026-04-29T00:30:16.113935+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$recursor"]}