Today we have released PowerDNS Recursor 5.2.11, 5.3.8 and 5.4.3.
These releases provide fixes for PowerDNS Security Advisory
- 2026-08 for PowerDNS Recursor: Multiple issues
There are several CVEs associated with this advisory, the first with severity High (but only applicable to specific configurations), the rest of severity Medium.
- CVE-2026-33612: ZoneToCache can poison the cache
- CVE-2026-40012: Information about ECS zero scoped answers might leak to clients that use a specific ECS
- CVE-2026-42005: Unbounded resource consumption in internal webserver
- CVE-2026-42390: ZONEMD validation can be bypassed
- CVE-2026-42389: Reject more queries with invalid header values
- CVE-2026-42388: Missing input validation for catalog zones
- CVE-2026-42387: Insufficient input validation in ZoneToCache
- CVE-2026-52690: Spoofed answers can mark an authoritative non-EDNS capable
Please refer to the changelogs (5.2.11, 5.3.8 and 5.4.3) and the full security advisory for additional details.
Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
The tarballs (5.2.11, 5.3.8, 5.4.3) (with signature files 5.2.11, 5.3.8, 5.4.3) are available from our download server and packages for several distributions are available from our repository.
Recently we made changes to our Open Source End of Life policy. Older release trains are now supported for one year after the following major release. Consult the EOL policy for more details.
We are grateful to the PowerDNS community for the reporting of bugs, issues, feature requests, and especially to the submitters of fixes and implementations of features.
