Search for packages
| purl | pkg:deb/debian/pdns-recursor@4.4.2-3 |
| Next non-vulnerable version | 5.2.9-0+deb13u1 |
| Latest non-vulnerable version | 5.4.1-1 |
| Risk | 3.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-26wf-1bqp-sbff
Aliases: CVE-2026-33601 |
If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2ugc-uygs-hqb8
Aliases: CVE-2025-59024 |
Crafted delegations or IP fragments can poison cached delegations in Recursor. |
Affected by 9 other vulnerabilities. |
|
VCID-5afe-ws96-nqh9
Aliases: CVE-2026-33258 |
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-66sa-bc5p-jqde
Aliases: CVE-2023-50387 |
Multiple vulnerabilities have been discovered in Dnsmasq, the worst of which could lead to a denial of service. |
Affected by 15 other vulnerabilities. |
|
VCID-7dc3-qdk8-k7b2
Aliases: CVE-2022-27227 |
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an IXFR end condition causes incomplete zone transfers to be handled as successful transfers. |
Affected by 15 other vulnerabilities. |
|
VCID-8tar-s444-zfac
Aliases: CVE-2022-37428 |
PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS query that leads to an answer with specific properties. |
Affected by 15 other vulnerabilities. |
|
VCID-anab-r9ty-1yh1
Aliases: CVE-2026-33600 |
An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-cdzz-8tc8-jucu
Aliases: CVE-2025-59023 |
Crafted delegations or IP fragments can poison cached delegations in Recursor. |
Affected by 9 other vulnerabilities. |
|
VCID-chzq-qej6-rkdq
Aliases: CVE-2026-33257 |
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k3re-ss39-zugm
Aliases: CVE-2026-33262 |
An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-m445-c6a1-uugf
Aliases: CVE-2026-0398 |
Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor. |
Affected by 9 other vulnerabilities. |
|
VCID-mkcs-362g-t7aq
Aliases: CVE-2023-26437 |
Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.This issue affects Recursor: through 4.6.5, through 4.7.4 , through 4.8.3. |
Affected by 15 other vulnerabilities. |
|
VCID-mzne-k7ry-pubm
Aliases: CVE-2026-33259 |
Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pfhu-1qdf-p7d5
Aliases: CVE-2026-33260 |
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-pjbp-1jgm-s3cg
Aliases: CVE-2026-24027 |
Crafted zones can lead to increased incoming network traffic. |
Affected by 9 other vulnerabilities. |
|
VCID-umcq-ztbz-qfb2
Aliases: CVE-2025-59030 |
An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP. |
Affected by 9 other vulnerabilities. |
|
VCID-v9yz-hcqv-83gu
Aliases: CVE-2026-33261 |
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. |
Affected by 9 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vprj-j7u6-zbe7
Aliases: CVE-2023-50868 |
Multiple vulnerabilities have been discovered in Dnsmasq, the worst of which could lead to a denial of service. |
Affected by 15 other vulnerabilities. |
|
VCID-wmgd-z2j3-h7d9
Aliases: CVE-2024-25590 |
An attacker can publish a zone containing specific Resource Record Sets. Repeatedly processing and caching results for these sets can lead to a denial of service. |
Affected by 15 other vulnerabilities. |
|
VCID-wywf-pmyt-zud4
Aliases: CVE-2025-30192 |
An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled. |
Affected by 9 other vulnerabilities. |
|
VCID-xasd-r2rc-2ufq
Aliases: CVE-2026-33256 |
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-12cd-ky6m-qkdg | security update |
CVE-2020-12244
|
| VCID-3e3b-z5bh-pban | An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. It allows an attacker (with enough privileges to change the system's hostname) to cause disclosure of uninitialized memory content via a stack-based out-of-bounds read. It only occurs on systems where gethostname() does not have '\0' termination of the returned string if the hostname is larger than the supplied buffer. (Linux systems are not affected because the buffer is always large enough. OpenBSD systems are not affected because the returned hostname always has '\0' termination.) Under some conditions, this issue can lead to the writing of one '\0' byte out-of-bounds on the stack, causing a denial of service or possibly arbitrary code execution. |
CVE-2020-10030
|
| VCID-htr2-rwgm-47ed | A vulnerability in PowerDNS Recursor could lead to a Denial of Service condition. |
CVE-2020-25829
|
| VCID-n2k6-nfxs-7ydj | security update |
CVE-2020-10995
|
| VCID-s6ds-tuus-n7hr | In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. |
CVE-2020-14196
|