CVE-2026-33259: Use After Free in PowerDNS Recursor
CVE-2026-33259 is a use-after-free vulnerability in PowerDNS Recursor versions 5. 2. 0, 5. 3. 0, and 5. 4. 0. It occurs when many concurrent transfers of the same Response Policy Zone (RPZ) happen, potentially leading to inconsistent RPZ data, use-after-free conditions, or a crash of the recursor. Such concurrent transfers typically only occur if the RPZ provider malfunctions. The vulnerability has a medium severity rating with a CVSS score of 5.
AI Analysis
Technical Summary
This vulnerability involves a use-after-free condition in PowerDNS Recursor when handling multiple concurrent transfers of the same RPZ zone. The flaw can cause inconsistent RPZ data or crashes due to improper memory management. Concurrent transfers of the same RPZ zone are not expected under normal operation and indicate a malfunctioning RPZ provider. The affected versions are 5.2.0, 5.3.0, and 5.4.0. There is no vendor advisory or patch information available at this time, and no known exploits in the wild have been reported.
Potential Impact
The vulnerability can lead to denial of service through recursor crashes and potential instability due to inconsistent RPZ data. There is no indication of confidentiality or integrity impact beyond limited integrity impact as per the CVSS vector. No known exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is documented, users should monitor for vendor updates and avoid configurations that could cause concurrent RPZ transfers, particularly from malfunctioning RPZ providers.
CVE-2026-33259: Use After Free in PowerDNS Recursor
Description
CVE-2026-33259 is a use-after-free vulnerability in PowerDNS Recursor versions 5. 2. 0, 5. 3. 0, and 5. 4. 0. It occurs when many concurrent transfers of the same Response Policy Zone (RPZ) happen, potentially leading to inconsistent RPZ data, use-after-free conditions, or a crash of the recursor. Such concurrent transfers typically only occur if the RPZ provider malfunctions. The vulnerability has a medium severity rating with a CVSS score of 5.
CVSS v3.1
Score 5.0medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability involves a use-after-free condition in PowerDNS Recursor when handling multiple concurrent transfers of the same RPZ zone. The flaw can cause inconsistent RPZ data or crashes due to improper memory management. Concurrent transfers of the same RPZ zone are not expected under normal operation and indicate a malfunctioning RPZ provider. The affected versions are 5.2.0, 5.3.0, and 5.4.0. There is no vendor advisory or patch information available at this time, and no known exploits in the wild have been reported.
Potential Impact
The vulnerability can lead to denial of service through recursor crashes and potential instability due to inconsistent RPZ data. There is no indication of confidentiality or integrity impact beyond limited integrity impact as per the CVSS vector. No known exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is documented, users should monitor for vendor updates and avoid configurations that could cause concurrent RPZ transfers, particularly from malfunctioning RPZ providers.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- OX
- Date Reserved
- 2026-03-18T10:06:16.573Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e89fe619fe3cd2cd8f5f49
Added to database: 4/22/2026, 10:16:06 AM
Last enriched: 4/29/2026, 11:10:43 AM
Last updated: 6/6/2026, 1:28:11 PM
Views: 64
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.