Skip to main content

PowerDNS Authoritative CVE-2026-42001

| EUVDEUVD-2026-31259 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-21 OX GHSA-mxqj-8r4c-fp83
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 21, 2026 - 11:01 EUVD
Analysis Generated
May 21, 2026 - 10:45 vuln.today

DescriptionCVE.org

Insufficient Validation of Autoprimary SOA Queries

AnalysisAI

Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received via the Autoprimary (formerly 'supermaster') replication mechanism, allowing unauthenticated network-based attackers to disrupt service availability. The flaw carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with availability-only impact, and no public exploit identified at time of analysis. The OX-reported issue is documented in PowerDNS Security Advisory 2026-06.

Technical ContextAI

PowerDNS Authoritative Server is an open-source authoritative DNS nameserver (CPE cpe:2.3:a:powerdns:authoritative) widely deployed by ISPs, hosting providers, and enterprises. The Autoprimary feature lets the server automatically provision new zones when it receives a NOTIFY/SOA query from a trusted upstream primary, removing the need to manually pre-configure each slave zone. The vulnerability lies in how incoming SOA queries within this Autoprimary code path are validated; insufficient input checks (no CWE was assigned, but the behavior aligns with improper input validation classes such as CWE-20) let a crafted SOA query disrupt the server. Because SOA handling sits in the DNS query path, the flaw is exposed wherever the authoritative service listens for DNS traffic and Autoprimary is enabled.

RemediationAI

Patch available per vendor advisory: upgrade PowerDNS Authoritative Server to the fixed release identified in PowerDNS Security Advisory 2026-06 (https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html); exact fix versions are not reproduced in the provided input, so consult the advisory for the precise build. Until you can patch, the most effective compensating control is to disable the Autoprimary feature (set autosecondary=no / remove the legacy supermaster configuration) - the side effect is that new zones can no longer be auto-provisioned and must be configured manually. If Autoprimary must remain enabled, restrict inbound DNS (UDP/TCP 53) at the network edge so that only known primary IPs can reach the authoritative server's query interface, and place the management interface behind an ACL; the trade-off is operational overhead when primaries change addresses. Do not rely on rate limiting alone, as a single malformed SOA may be sufficient to trigger the condition.

CVE-2016-5427 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this

CVE-2016-5426 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU

CVE-2020-24698 CRITICAL
9.8 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti

CVE-2020-24696 HIGH
8.1 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2020-24697 HIGH
7.5 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2019-10162 HIGH
7.5 Jul 30

A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use

CVE-2018-14626 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab

CVE-2018-10851 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi

CVE-2026-42000 MEDIUM
6.8 May 21

Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec

CVE-2026-33611 MEDIUM
6.5 Apr 22

PowerDNS Authoritative server allows authenticated REST API operators to inject malformed HTTPS or SVCB record data, cor

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-42001 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy