Powerdns
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Powerdns product.
RSS Feeds for Powerdns security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Powerdns products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Powerdns Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 52 vulnerabilities in Powerdns with an average score of 5.3 out of ten. Last year, in 2025 Powerdns had 3 security vulnerabilities published. That is, 49 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.16
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 52 | 5.34 |
| 2025 | 3 | 5.50 |
| 2024 | 1 | 7.50 |
| 2023 | 2 | 6.40 |
| 2022 | 2 | 7.00 |
| 2021 | 1 | 7.50 |
| 2020 | 9 | 7.83 |
| 2019 | 5 | 7.70 |
| 2018 | 7 | 6.33 |
It may take a day or so for new Powerdns vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Powerdns Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-42389 | Jun 25, 2026 |
Unbound 5.4.x Hardening: Validating Answers from Authoritative ServersThis fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers. |
|
| CVE-2026-52690 | Jun 25, 2026 |
DNS Recursor EDNS Spoofing Triggers DNSSEC Validation FailureSpoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail. |
|
| CVE-2026-42390 | Jun 25, 2026 |
Unbound DNS Resolver ZONEMD validation flaw allows invalid zone to passAn invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation. |
|
| CVE-2026-42388 | Jun 25, 2026 |
Crash from Incomplete SOA Record Validation in Catalog ZoneIncomplete validation of the SOA record present in a catalog zone might lead to a crash. |
|
| CVE-2026-42387 | Jun 25, 2026 |
CVE-2026-42387 Recursor ZoneToCache Buffer Overflow in PowerDNS RecursorA malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation. |
|
| CVE-2026-40012 | Jun 25, 2026 |
Unbound ECS Cache Leak: Zero-Scoped Answers CachedECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled; |
|
| CVE-2026-33612 | Jun 25, 2026 |
DNS Cache Poisoning via ZoneToCache in BIND 9A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning. |
|
| CVE-2026-42004 | Jun 25, 2026 |
DNSdist Bypass EDNS OPT Filtering with Crafted OPT RecordAn attacker can send a crafted EDNS OPT record that will be ignored by DNSdists filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS option(s) that DNSdist did not filter. |
|
| CVE-2026-40211 | Jun 25, 2026 |
DoH3 DoS via OOM due to Unfreed BufferAn attacker can send crafted DNS over HTTP/3 queries, triggering an exception that prevents some buffer from being freed right away. The buffer will be freed at the end of the QUIC connection, but on some setups it might be possible to open enough concurrent DoH3 streams to trigger an out-of-memory condition, resulting in a denial of service. |
|
| CVE-2026-40210 | Jun 25, 2026 |
Linux Kernel OOB Read in SetMacAddrActionAn out-of-bounds read might happen when SetMacAddrAction is used, potentially resulting in uninitialized memory being sent over the network or a crash. |
|
| CVE-2026-40209 | Jun 25, 2026 |
IXFR DOS via Stuck TCP Connections in Unbound DNS ResolverAn attacker might be able to cause outgoing TCP connections to backend to be stuck until a timeout occurs instead of being released immediately, by sending IXFR queries. This could be used to cause a denial of service if there is a limit to the number of concurrent connections to this backend, or if the process runs out of file descriptors. |
|
| CVE-2026-40208 | Jun 25, 2026 |
DoH3 GET DDoS via invalid DATA frame (CVE-2026-40208)An attacker might be able to delay the processing of DoH3 queries by sending DoH3 GET queries with an invalid DATA frame. |
|
| CVE-2026-40011 | Jun 25, 2026 |
Prometheus endpoint block injection causing scraper denialAn attacker sending a large number of crafted DNS queries might be able to trigger a dynamic block being inserted with a value causing invalid output to be produced in the prometheus endpoint. The prometheus endpoint will then be rejected by the scraper until the dynamic block expires. |
|
| CVE-2026-42005 | Jun 25, 2026 |
Unlimited Memory Allocation DoS in Internal Web ServerAn attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
|
| CVE-2026-41999 | May 21, 2026 |
TCP PROXY Views Misbehav in Unknown DBIncorrect Behaviour of Views with TCP PROXY Requests |
|
| CVE-2026-42002 | May 21, 2026 |
Concurrency & Locking Vulnerability in GSS-TSIG Assigner:OX (CVE-2026-42002)Concurrency and locking defects in GSS-TSIG |
|
| CVE-2026-42001 | May 21, 2026 |
CVE-2026-42001: Autoprimary SOA Query Validation Flaw in Windows DNSInsufficient Validation of Autoprimary SOA Queries |
|
| CVE-2026-42000 | May 21, 2026 |
Insufficient Name Validation in AXFR Handler OXInsufficient Validation of Names During AXFR |
|
| CVE-2026-42396 | May 21, 2026 |
Open-Xchange OX: Insufficient Member Zone Validation Causes Zone Transfer FailureInsufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail |
|
| CVE-2026-33611 | Apr 22, 2026 |
Invalid HTTPS/SVCB Records Causing LMDB Corruption in Knot DNSAn operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. |
|
| CVE-2026-33610 | Apr 22, 2026 |
PowerDNS Secondary DoS via File Descriptor ExhaustionA rogue primary server may cause file descriptor exhaustion and eventually a denial of service, when a PowerDNS secondary server forwards a DNS update request to it. |
|
| CVE-2026-33609 | Apr 22, 2026 |
Incomplete LDAP Escaping in Open-Xchange 8bit-dns Enables Internal Domain QueryIncomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees. |
|
| CVE-2026-33608 | Apr 22, 2026 |
CVE-2026-33608: DNS NOTIFY Exploit Causes BIND Config CorruptionAn attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it. |
|
| CVE-2026-33593 | Apr 22, 2026 |
DNSCrypt CRASH: Divide-by-0 via Crafted DNS QueryA client can trigger a divide by zero error leading to crash by sending a crafted DNSCrypt query. |
|
| CVE-2026-33594 | Apr 22, 2026 |
DoH Backend Excessive Mem Alloc via Query FloodA client can trigger excessive memory allocation by generating a lot of queries that are routed to an overloaded DoH backend, causing queries to accumulate into a buffer that will not be released until the end of the connection. |
|
| CVE-2026-33595 | Apr 22, 2026 |
Excessive Memory Allocation via DoQ/DoH3 Error Responses in CoreDNSA client can trigger excessive memory allocation by generating a lot of errors responses over a single DoQ and DoH3 connection, as some resources were not properly released until the end of the connection. |
|
| CVE-2026-33597 | Apr 22, 2026 |
Denial of Service in PRSD Detection (unknown)PRSD detection denial of service |
|
| CVE-2026-33596 | Apr 22, 2026 |
DNS Response Mismatch via Timing Flood in DoT/TCP BackendsA client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend. |
|
| CVE-2026-33598 | Apr 22, 2026 |
CVE-2026-33598: OOB Read via Cached Lua Response on PacketCacheA cached crafted response can cause an out-of-bounds read if custom Lua code calls getDomainListByAddress() or getAddressListByDomain() on a packet cache. |
|
| CVE-2026-33599 | Apr 22, 2026 |
Rogue Backend Crafts SVCB for DDR auto_upgrade CVE-2026-33599A rogue backend can send a crafted SVCB response to a Discovery of Designated Resolvers request, when requested via either the autoUpgrade (Lua) option to newServer or auto_upgrade (YAML) settings. DDR upgrade is not enabled by default. |
|
| CVE-2026-33602 | Apr 22, 2026 |
Out-of-Bounds UDP Query ID Off-by-One in DNS Backend Leading to DoSA rogue backend can send a crafted UDP response with a query ID off by one related to the maximum configured value, triggering an out-of-bounds write leading to a denial of service. |
|
| CVE-2026-33254 | Apr 22, 2026 |
DNSdist Memory Exhaustion DoS via DoQ/DoH3 ConnectionsAn attacker can create a large number of concurrent DoQ or DoH3 connections, causing unlimited memory allocation in DNSdist and leading to a denial of service. DOQ and DoH3 are disabled by default. |
|
| CVE-2026-33262 | Apr 22, 2026 |
Null Pointer Deref in Reply Processing Causing DoSAn attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default. |
|
| CVE-2026-33261 | Apr 22, 2026 |
DNSSEC NSECNSEC3 Zone Transition DOS in BINDA zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. |
|
| CVE-2026-33260 | Apr 22, 2026 |
Denial of Service via Unlimited Memory Allocation in Internal Web ServerAn attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
|
| CVE-2026-33259 | Apr 22, 2026 |
Use-After-Free in ISC BIND RPZ Recursor allowing RPZ data corruption or crashHaving many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider. |
|
| CVE-2026-33258 | Apr 22, 2026 |
Unbound NSEC3 Negative Cache DoS via Crafted ZoneBy publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches. |
|
| CVE-2026-33257 | Apr 22, 2026 |
DoS in Disabled Internal Web Server via Unlimited Memory AllocationAn attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
|
| CVE-2026-33256 | Apr 22, 2026 |
Unlimited Memory Allocation in Internal Web Server Leads to DoSAn attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
|
| CVE-2026-33601 | Apr 22, 2026 |
DNS DoS: zoneToCache NPD via Malicious ServerIf you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
|
| CVE-2026-33600 | Apr 22, 2026 |
BIND RPZ Null Pointer Deref Causes DoSAn RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
|
| CVE-2026-27854 | Mar 31, 2026 |
Use-After-Free in DNSdist DNSQuestion:getEDNSOptions via LuaAn attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. In some cases DNSQuestion:getEDNSOptions might refer to a version of the DNS packet that has been modified, thus triggering a use-after-free and potentially a crash resulting in denial of service. |
|
| CVE-2026-27853 | Mar 31, 2026 |
DNSdist OOB Write via DNSResponse:changeName in LuaAn attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in custom Lua code. In some cases the rewritten packet might become larger than the initial response and even exceed 65535 bytes, potentially leading to a crash resulting in denial of service. |
|
| CVE-2026-24030 | Mar 31, 2026 |
DNSdist OOM via DNS-over-QUIC/HTTP3 memory exhaustionAn attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in a denial of service. In setups with a large quantity of memory available this usually results in an exception and the QUIC connection is properly closed, but in some cases the system might enter an out-of-memory state instead and terminate the process. |
|
| CVE-2026-24029 | Mar 31, 2026 |
DoH ACL bypass via early_acl_drop Disable in nghttp2-based DoH ServerWhen the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check is skipped, allowing all clients to send DoH queries regardless of the configured ACL. |
|
| CVE-2026-24028 | Mar 31, 2026 |
Out-of-bounds Read via Lua newDNSPacketOverlay in DNS ParserAn attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse DNS packets. The out-of-bounds read might trigger a crash, leading to a denial of service, or access unrelated memory, leading to potential information disclosure. |
|
| CVE-2026-0397 | Mar 31, 2026 |
CORS Misconfig in Internal Webserver Allows Dashboard Info TheftWhen the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration of the Cross-Origin Resource Sharing (CORS) policy. |
|
| CVE-2026-0396 | Mar 31, 2026 |
DNSdist HTML Injection via Crafted DNS QueriesAn attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based dynamic rules have been enabled via either DynBlockRulesGroup:setSuffixMatchRule or DynBlockRulesGroup:setSuffixMatchRuleFFI. |
|
| CVE-2025-59024 | Feb 09, 2026 |
Cache Poisoning via Crafted Delegations/IP Fragments in BIND 9 RecursorCrafted delegations or IP fragments can poison cached delegations in Recursor. |
|
| CVE-2025-59023 | Feb 09, 2026 |
BIND Recursor Cached Delegation Poisoning via Crafted Delegations/IP FragmentsCrafted delegations or IP fragments can poison cached delegations in Recursor. |
|