This vulnerability in PowerDNS Recursor involves allocation of resources without limits or throttling when handling crafted DNS zones. Specifically, an attacker can cause the DNS server to allocate large cache entries in the negative and aggressive NSEC(3) caches by publishing and querying maliciously crafted zones. This behavior can lead to resource exhaustion and potential denial of service conditions. The affected versions are 5.2.0, 5.3.0, and 5.4.0. The CVSS 3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and low availability impact.

The impact of this vulnerability is limited to availability, as it can cause denial of service by exhausting resources through uncontrolled cache allocation. There is no impact on confidentiality or integrity. No known exploits have been reported in the wild, and the vulnerability requires an attacker to publish and query crafted zones to trigger the issue.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider monitoring DNS query patterns for abnormal activity related to negative and aggressive NSEC(3) cache usage. No official remediation or temporary fix has been published by the vendor at this time.