Skip to main content

PowerDNS Authoritative CVE-2026-42005

| EUVDEUVD-2026-39345 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-25 OX GHSA-27xg-fw4v-jgv6
4.3
CVSS 3.1 · Vendor: OX
Share

Severity by source

Vendor (OX) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
4.3 MEDIUM

Network-reachable API requires low-privilege credentials (PR:L); memory exhaustion yields only partial availability loss (A:L) with no confidentiality or integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from Vendor (OX).

CVSS VectorVendor: OX

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 14:16 EUVD
Analysis Generated
Jun 25, 2026 - 12:31 vuln.today

DescriptionCVE.org

An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.

AnalysisAI

PowerDNS Authoritative Server's optional internal web server accepts crafted HTTP requests that trigger unbounded memory allocation, exhausting process memory and causing a denial of service against the DNS service. Exploitation requires low-privilege authentication (PR:L per CVSS vector) and the internal web server must be explicitly enabled - it is disabled by default, sharply limiting the real-world attack surface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify PowerDNS instance with web server enabled
Delivery
Obtain low-privilege API credentials
Exploit
Send crafted HTTP request to API port
Execution
Trigger unbounded memory allocation in web server
Persist
Exhaust process memory
Impact
DNS authoritative service becomes unavailable

Vulnerability AssessmentAI

Exploitation Two non-default conditions must both be present for exploitation to be possible: (1) the internal web server must be explicitly enabled in pdns.conf (it is DISABLED BY DEFAULT, so the vast majority of deployments are not affected); and (2) the attacker must possess low-privilege authentication credentials to the API, as confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 (Medium) accurately reflects the real-world risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained low-privilege credentials to the PowerDNS Authoritative internal web server API - in a deployment where that API has been explicitly enabled and the port is reachable - sends a crafted HTTP request engineered to trigger repeated or unbounded memory allocation. The PowerDNS process exhausts available system memory, causing the DNS authoritative service to become unresponsive or crash, resulting in resolution failures for all hosted zones until the process is restarted.
Remediation Administrators should consult the PowerDNS advisory at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-07.html for the patched release version - no exact fixed version number is available in the current intelligence data, so stating a specific version here would be speculative. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-5427 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this

CVE-2016-5426 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU

CVE-2020-24698 CRITICAL
9.8 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti

CVE-2020-24696 HIGH
8.1 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2026-42001 HIGH
7.5 May 21

Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received vi

CVE-2020-24697 HIGH
7.5 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2019-10162 HIGH
7.5 Jul 30

A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use

CVE-2018-14626 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab

CVE-2018-10851 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi

CVE-2026-42000 MEDIUM
6.8 May 21

Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2026-42005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy