Primary

Context

PowerDNS Recursor Assertion Failure Vulnerability Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in PowerDNS Recursor versions 5.3.0 and 5.3.1. This issue arises from an internal logic flaw in cache management, which can be exploited by sending crafted DNS records that trigger an assertion failure. The attacker must wait for these records to be cached before sending a query with the qtype set to ANY, causing a cache-related assertion failure that disrupts normal operation.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the PowerDNS Recursor to fail to respond to queries or to crash.

Remediation

Users can upgrade to PowerDNS Recursor version 5.3.3 or newer to address this vulnerability. Alternatively, requests with qtype ANY can be prevented.

Added: Dec 9, 2025, 7:18 PM

Updated: Dec 9, 2025, 7:18 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

5.9

remediation

7.9

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

2.5

exploitability

5.9

remediation

7.9

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PowerDNS Recursor Assertion Failure Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

PowerDNS Recursor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating