{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33261", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.573Z", "datePublished": "2026-04-22T09:40:03.564Z", "dateUpdated": "2026-04-22T18:09:53.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:40:03.564Z"}, "title": "Null pointer accces in aggressive NSEC(3) cache", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Support for Integrity Check", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["Aggressive use of NSEC cache"], "programFiles": ["aggressive_nsec.cc"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "ylwango613", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-353", "lang": "en", "description": "CWE-353 Missing Support for Integrity Check"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T17:52:56.932119Z", "id": "CVE-2026-33261", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:09:53.895Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33261", "assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "state": "PUBLISHED", "assignerShortName": "OX", "dateReserved": "2026-03-18T10:06:16.573Z", "datePublished": "2026-04-22T09:40:03.564Z", "dateUpdated": "2026-04-22T18:09:53.895Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981", "shortName": "OX", "dateUpdated": "2026-04-22T09:40:03.564Z"}, "title": "Null pointer accces in aggressive NSEC(3) cache", "datePublic": "2026-04-21T22:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "description": "Missing Support for Integrity Check", "type": "CWE"}]}], "affected": [{"vendor": "PowerDNS", "product": "Recursor", "collectionURL": "https://repo.powerdns.com/", "packageName": "pdns-recursor", "repo": "https://github.com/PowerDNS/pdns", "modules": ["Aggressive use of NSEC cache"], "programFiles": ["aggressive_nsec.cc"], "versions": [{"status": "affected", "version": "5.4.0", "lessThan": "5.4.1", "versionType": "semver"}, {"status": "affected", "version": "5.3.0", "lessThan": "5.3.6", "versionType": "semver"}, {"status": "affected", "version": "5.2.0", "lessThan": "5.2.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.</p>"}]}], "references": [{"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}}], "credits": [{"lang": "en", "value": "ylwango613", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33261", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T17:52:56.932119Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-353", "description": "CWE-353 Missing Support for Integrity Check"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:07:39.344Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service."}], "id": "CVE-2026-33261", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@open-xchange.com", "type": "Secondary"}]}, "published": "2026-04-22T10:16:51.857", "references": [{"source": "security@open-xchange.com", "url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-03.html"}], "sourceIdentifier": "security@open-xchange.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-353"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.4.0,5.4.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.3.0,5.3.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.2.0,5.2.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Recursor", "source": "cna", "vendor": "PowerDNS"}, "product": "recursor", "vendor": "powerdns"}], "analysis": {"en": {"generated_at": "2026-04-22T13:34:17.891946+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest PowerDNS Recursor release that includes the patch for the NSEC to NSEC3 transition issue.", "Monitor recursor logs for crashes that occur after zone transitions, and temporarily block zone updates until the patch is applied.", "If an upgrade cannot be performed immediately, refrain from performing zone transitions from NSEC to NSEC3 until the vulnerability is addressed, or consider using a stable zone configuration that avoids the transition until a fix is available."], "summary": {"action": "Patch Recursor", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PowerDNS Recursor component, regardless of the operating system or deployment method. No specific recursor version is listed in the advisory, so all deployments that have not applied a future patch should be considered potentially vulnerable.", "description_and_impact": "A configuration change that moves a DNS zone\u2019s security mechanism from NSEC to NSEC3 can trigger an internal inconsistency in PowerDNS Recursor. The inconsistency causes the recursor to crash, interrupting DNS resolution for clients that query the affected zone, resulting in a denial of service.", "risk_and_exploitability": "The CVSS base score of 5.9 indicates a medium severity. The vulnerability is triggered by a zone transition from NSEC to NSEC3, which may occur during zone data updates or reconfiguration. No explicit exploitation method is documented; the crash occurs only when the transition happens. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that widespread exploitation is not currently observed. Based on the description, it is inferred that an actor who can induce the zone transition\u2014such as a misconfigured zone author or a malicious zone transfer\u2014could trigger repeated crashes."}}}}, "created": "2026-04-22T11:30:15.169076+00:00", "updated": "2026-04-22T13:45:18.274572+00:00", "vendors": ["powerdns", "powerdns$PRODUCT$recursor"], "weaknesses": ["CWE-476"]}