Skip to main content

PowerDNS Recursor CVE-2026-42390

| EUVDEUVD-2026-39359 MEDIUM
Improper Input Validation (CWE-20)
2026-06-25 OX GHSA-3r7g-67q5-53gf
5.3
CVSS 3.1 · Vendor: OX
Share

Severity by source

Vendor (OX) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.7 LOW

AC:H applied because exploitation requires non-default ZoneToCache+ZONEMD configuration and attacker positioning to supply a crafted zone; no auth, confidentiality, or availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (OX).

CVSS VectorVendor: OX

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 15:17 EUVD
Analysis Generated
Jun 25, 2026 - 14:35 vuln.today

DescriptionCVE.org

An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.

AnalysisAI

ZONEMD validation bypass in PowerDNS Recursor allows a cryptographically invalid DNS zone to be accepted as legitimate when ZoneToCache is configured with ZONEMD validation enabled. This undermines the integrity guarantee that ZONEMD is designed to provide - an attacker capable of serving a crafted zone to the resolver (e.g., via a rogue authoritative source or network interception) can cause the recursor to cache and serve tampered DNS data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target recursor with ZoneToCache + ZONEMD enabled
Delivery
Position to control or intercept zone source
Exploit
Craft zone with invalid ZONEMD digest
Install
Serve invalid zone to recursor
C2
Bypass ZONEMD validation check
Execute
Recursor caches tampered zone data
Impact
Clients receive attacker-influenced DNS responses

Vulnerability AssessmentAI

Exploitation Exploitation is conditioned on two non-default requirements that must both be true simultaneously: the PowerDNS Recursor instance must have the ZoneToCache feature explicitly configured, and ZONEMD validation must be enabled within that configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) reflects a network-reachable, unauthenticated integrity bypass with limited impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker controlling a zone source configured in ZoneToCache - either by operating a rogue authoritative server or by intercepting the zone transfer between the resolver and its configured source - serves a crafted zone whose ZONEMD digest does not match its contents. The PowerDNS Recursor's faulty validation logic accepts the zone as intact, caching and subsequently serving the tampered DNS data to downstream clients. …
Remediation Upgrade PowerDNS Recursor to the patched version identified in the vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html - the exact fixed version number is not independently confirmed in available data and must be verified from that source. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2019-3807 CRITICAL
9.8 Jan 29

An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of response

CVE-2020-10030 HIGH
8.8 May 19

An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulne

CVE-2025-59023 HIGH
8.2 Feb 09

Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]

CVE-2019-3806 HIGH
8.1 Jan 29

An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2023-22617 HIGH
7.5 Jan 21

A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS

CVE-2022-27227 HIGH
7.5 Mar 25

In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4

CVE-2020-25829 HIGH
7.5 Oct 16

An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high sever

CVE-2020-10995 HIGH
7.5 May 19

PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated

CVE-2020-12244 HIGH
7.5 May 19

An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN respo

CVE-2018-16855 HIGH
7.5 Dec 03

An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigge

Vendor StatusVendor

SUSE

Severity: Moderate

Share

CVE-2026-42390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy