Today we have released PowerDNS Recursor 5.2.9, 5.3.6 and 5.4.1.
These releases provide fixes for PowerDNS Security Advisory
- 2026-03 for PowerDNS Recursor: Multiple issues
There are several CVEs associated with this advisory, all of severity Medium.
- CVE-2026-33256 Unbounded memory allocation by internal web server, affected 5.3.5, 5.4.0
- CVE-2026-33257 Insufficient input validation of internal web server, affected 5.2.8
- CVE-2026-33258 Crafted zones can cause increased resource usage, affected 5.2.8, 5.3.5, 5.4.0
- CVE-2026-33259 Concurrent modification of RPZ data can lead to denial of service, affected 5.2.8 5.3.5, 5.4.0
- CVE-2026-33260 Insufficient input validation of internal web server, affected 5.2.8
- CVE-2026-33261 Null pointer access in aggressive NSEC(3) cache, affected 5.2.8, 5.3.5, 5.4.0
- CVE-2026-33262 Insufficient validation of cookie reply, affected 5.4.0
- CVE-2026-33601 Insufficient validation of ZONEMD record, affected 5.2.8, 5.3.5, 5.4.0
- CVE-2026-33600 Null pointer dereference in RPZ transfer, affected 5.2.8, 5.3.5, 5.4.0
Please refer to the changelogs (5.2.9, 5.3.6 and 5.4.1) and the full security advisory for additional details.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The tarballs (5.2.9, 5.3.6, 5.4.1) (with signature files 5.2.9, 5.3.6, 5.4.1) are available from our download server and packages for several distributions are available from our repository.
Recently we made changes to our Open Source End of Life policy. Older release trains are now supported for one year after the following major release. Consult the EOL policy for more details.
We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.
