Skip to main content

PowerDNS Recursor CVE-2026-42389

| EUVDEUVD-2026-39388 MEDIUM
Improper Input Validation (CWE-20)
2026-06-25 OX GHSA-hrq7-vr6r-5mvq
5.3
CVSS 3.1 · Vendor: OX
Share

Severity by source

Vendor (OX) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

AC:H applied because reliable exploitation requires attacker control of or on-path interception of authoritative DNS responses, not trivial remote access.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (OX).

CVSS VectorVendor: OX

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 15:17 EUVD
Analysis Generated
Jun 25, 2026 - 14:38 vuln.today

DescriptionCVE.org

This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.

AnalysisAI

DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or compromise authoritative DNS server
Delivery
Target recursor dispatches iterative DNS query for victim domain
Exploit
Respond with crafted, malformed DNS answer payload
Execution
Bypass recursor's insufficient response validation logic
Persist
Inject false DNS record into recursor answer cache
Impact
Downstream clients receive manipulated name resolution

Vulnerability AssessmentAI

Exploitation Exploitation requires PowerDNS Recursor running on the 5.4.x branch. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) characterizes this as a network-accessible, low-complexity integrity issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who operates or has compromised an authoritative DNS server for a domain queried by a vulnerable PowerDNS Recursor 5.4.x instance sends a crafted DNS response that bypasses the recursor's insufficient answer validation. The recursor accepts and caches the manipulated record, causing downstream clients to receive false DNS resolutions that could redirect them to attacker-controlled infrastructure. …
Remediation Patch available per vendor advisory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-3807 CRITICAL
9.8 Jan 29

An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of response

CVE-2020-10030 HIGH
8.8 May 19

An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulne

CVE-2025-59023 HIGH
8.2 Feb 09

Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]

CVE-2019-3806 HIGH
8.1 Jan 29

An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2023-22617 HIGH
7.5 Jan 21

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS

CVE-2022-27227 HIGH
7.5 Mar 25

In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4

CVE-2020-25829 HIGH
7.5 Oct 16

An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high sever

CVE-2020-10995 HIGH
7.5 May 19

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated

CVE-2020-12244 HIGH
7.5 May 19

An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN respo

CVE-2018-16855 HIGH
7.5 Dec 03

An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigge

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-42389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy