Powerdns Powerdns

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Powerdns product.

RSS Feeds for Powerdns security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Powerdns products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Powerdns Sorted by Most Security Vulnerabilities since 2018

Powerdns Recursor39 vulnerabilities

Powerdns Authoritative20 vulnerabilities

Powerdns Dnsdist1 vulnerability

Powerdns Pdns1 vulnerability

By the Year

In 2026 there have been 52 vulnerabilities in Powerdns with an average score of 5.3 out of ten. Last year, in 2025 Powerdns had 3 security vulnerabilities published. That is, 49 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.16




Year Vulnerabilities Average Score
2026 52 5.34
2025 3 5.50
2024 1 7.50
2023 2 6.40
2022 2 7.00
2021 1 7.50
2020 9 7.83
2019 5 7.70
2018 7 6.33

It may take a day or so for new Powerdns vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Powerdns Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-42389 Jun 25, 2026
Unbound 5.4.x Hardening: Validating Answers from Authoritative Servers This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
Recursor
CVE-2026-52690 Jun 25, 2026
DNS Recursor EDNS Spoofing Triggers DNSSEC Validation Failure Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
Recursor
CVE-2026-42390 Jun 25, 2026
Unbound DNS Resolver ZONEMD validation flaw allows invalid zone to pass An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
Recursor
CVE-2026-42388 Jun 25, 2026
Crash from Incomplete SOA Record Validation in Catalog Zone Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
Recursor
CVE-2026-42387 Jun 25, 2026
CVE-2026-42387 Recursor ZoneToCache Buffer Overflow in PowerDNS Recursor A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
Recursor
CVE-2026-40012 Jun 25, 2026
Unbound ECS Cache Leak: Zero-Scoped Answers Cached ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
Recursor
CVE-2026-33612 Jun 25, 2026
DNS Cache Poisoning via ZoneToCache in BIND 9 A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
Recursor
CVE-2026-42004 Jun 25, 2026
DNSdist Bypass EDNS OPT Filtering with Crafted OPT Record An attacker can send a crafted EDNS OPT record that will be ignored by DNSdists filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter.
CVE-2026-40211 Jun 25, 2026
DoH3 DoS via OOM due to Unfreed Buffer An attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service.
CVE-2026-40210 Jun 25, 2026
Linux Kernel OOB Read in SetMacAddrAction An out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash.
CVE-2026-40209 Jun 25, 2026
IXFR DOS via Stuck TCP Connections in Unbound DNS Resolver An attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors.
CVE-2026-40208 Jun 25, 2026
DoH3 GET DDoS via invalid DATA frame (CVE-2026-40208) An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame.
CVE-2026-40011 Jun 25, 2026
Prometheus endpoint block injection causing scraper denial An attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires.
CVE-2026-42005 Jun 25, 2026
Unlimited Memory Allocation DoS in Internal Web Server An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Authoritative
CVE-2026-41999 May 21, 2026
TCP PROXY Views Misbehav in Unknown DB Incorrect Behaviour of Views with TCP PROXY Requests
Authoritative
CVE-2026-42002 May 21, 2026
Concurrency & Locking Vulnerability in GSS-TSIG Assigner:OX (CVE-2026-42002) Concurrency and locking defects in GSS-TSIG
Authoritative
CVE-2026-42001 May 21, 2026
CVE-2026-42001: Autoprimary SOA Query Validation Flaw in Windows DNS Insufficient Validation of Autoprimary SOA Queries
Authoritative
CVE-2026-42000 May 21, 2026
Insufficient Name Validation in AXFR Handler OX Insufficient Validation of Names During AXFR
Authoritative
CVE-2026-42396 May 21, 2026
Open-Xchange OX: Insufficient Member Zone Validation Causes Zone Transfer Failure Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
Authoritative
CVE-2026-33611 Apr 22, 2026
Invalid HTTPS/SVCB Records Causing LMDB Corruption in Knot DNS An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend.
Authoritative
CVE-2026-33610 Apr 22, 2026
PowerDNS Secondary DoS via File Descriptor Exhaustion A rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it.
Authoritative
CVE-2026-33609 Apr 22, 2026
Incomplete LDAP Escaping in Open-Xchange 8bit-dns Enables Internal Domain Query Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees.
Authoritative
CVE-2026-33608 Apr 22, 2026
CVE-2026-33608: DNS NOTIFY Exploit Causes BIND Config Corruption An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.
Authoritative
CVE-2026-33593 Apr 22, 2026
DNSCrypt CRASH: Divide-by-0 via Crafted DNS Query A client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query.
CVE-2026-33594 Apr 22, 2026
DoH Backend Excessive Mem Alloc via Query Flood A client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection.
CVE-2026-33595 Apr 22, 2026
Excessive Memory Allocation via DoQ/DoH3 Error Responses in CoreDNS A client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection.
CVE-2026-33597 Apr 22, 2026
Denial of Service in PRSD Detection (unknown) PRSD detection denial of service
CVE-2026-33596 Apr 22, 2026
DNS Response Mismatch via Timing Flood in DoT/TCP Backends A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend.
CVE-2026-33598 Apr 22, 2026
CVE-2026-33598: OOB Read via Cached Lua Response on PacketCache A cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache.
CVE-2026-33599 Apr 22, 2026
Rogue Backend Crafts SVCB for DDR auto_upgrade CVE-2026-33599 A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default.
CVE-2026-33602 Apr 22, 2026
Out-of-Bounds UDP Query ID Off-by-One in DNS Backend Leading to DoS A rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service.
CVE-2026-33254 Apr 22, 2026
DNSdist Memory Exhaustion DoS via DoQ/DoH3 Connections An attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default.
CVE-2026-33262 Apr 22, 2026
Null Pointer Deref in Reply Processing Causing DoS An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.
Recursor
CVE-2026-33261 Apr 22, 2026
DNSSEC NSECNSEC3 Zone Transition DOS in BIND A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
Recursor
CVE-2026-33260 Apr 22, 2026
Denial of Service via Unlimited Memory Allocation in Internal Web Server An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Authoritative
Recursor
CVE-2026-33259 Apr 22, 2026
Use-After-Free in ISC BIND RPZ Recursor allowing RPZ data corruption or crash Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
Recursor
CVE-2026-33258 Apr 22, 2026
Unbound NSEC3 Negative Cache DoS via Crafted Zone By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.
Recursor
CVE-2026-33257 Apr 22, 2026
DoS in Disabled Internal Web Server via Unlimited Memory Allocation An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Authoritative
Recursor
CVE-2026-33256 Apr 22, 2026
Unlimited Memory Allocation in Internal Web Server Leads to DoS An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
Recursor
CVE-2026-33601 Apr 22, 2026
DNS DoS: zoneToCache NPD via Malicious Server If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
Recursor
CVE-2026-33600 Apr 22, 2026
BIND RPZ Null Pointer Deref Causes DoS An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
Recursor
CVE-2026-27854 Mar 31, 2026
Use-After-Free in DNSdist DNSQuestion:getEDNSOptions via Lua An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service.
CVE-2026-27853 Mar 31, 2026
DNSdist OOB Write via DNSResponse:changeName in Lua An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service.
CVE-2026-24030 Mar 31, 2026
DNSdist OOM via DNS-over-QUIC/HTTP3 memory exhaustion An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process.
CVE-2026-24029 Mar 31, 2026
DoH ACL bypass via early_acl_drop Disable in nghttp2-based DoH Server When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL.
CVE-2026-24028 Mar 31, 2026
Out-of-bounds Read via Lua newDNSPacketOverlay in DNS Parser An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure.
CVE-2026-0397 Mar 31, 2026
CORS Misconfig in Internal Webserver Allows Dashboard Info Theft When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy.
CVE-2026-0396 Mar 31, 2026
DNSdist HTML Injection via Crafted DNS Queries An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI.
CVE-2025-59024 Feb 09, 2026
Cache Poisoning via Crafted Delegations/IP Fragments in BIND 9 Recursor Crafted delegations or IP fragments can poison cached delegations in Recursor.
Recursor
CVE-2025-59023 Feb 09, 2026
BIND Recursor Cached Delegation Poisoning via Crafted Delegations/IP Fragments Crafted delegations or IP fragments can poison cached delegations in Recursor.
Recursor
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.