Skip to main content

PowerDNS Authoritative CVE-2026-42396

| EUVDEUVD-2026-31265 MEDIUM
Code Injection (CWE-94)
2026-05-21 OX GHSA-hm6h-mcgv-h2x8
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 21, 2026 - 11:01 EUVD
Analysis Generated
May 21, 2026 - 10:47 vuln.today

DescriptionCVE.org

Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail

AnalysisAI

Catalog zone transfer failure in PowerDNS Authoritative can be triggered by a high-privileged remote attacker who injects insufficiently validated member zone data, causing the catalog zone transfer mechanism to abort and preventing secondary nameservers from receiving zone updates. The impact is a targeted denial-of-service against DNS zone replication infrastructure, affecting any deployment using catalog zones (RFC 9432). No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

PowerDNS Authoritative (CPE: cpe:2.3:a:powerdns:authoritative:*:*:*:*:*:*:*:*) is a widely deployed authoritative DNS server that supports catalog zones per RFC 9432 - a mechanism where a primary server distributes zone provisioning data to secondaries via a special catalog zone. The vulnerability lies in insufficient validation of member zone data embedded within catalog zones: when malformed or unexpected member zone entries are processed, the transfer operation fails entirely rather than skipping or rejecting the bad entry. No CWE was assigned, but the root cause pattern aligns with improper input validation (CWE-20) in DNS zone data parsing. Notably, the vulnerability tag lists 'Information Disclosure,' which is inconsistent with the CVSS impact metrics showing C:N/I:N/A:H - this discrepancy warrants verification against the vendor advisory.

RemediationAI

Consult the official PowerDNS advisory (powerdns-2026-06) at https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-powerdns-2026-06.html for the specific patched version and upgrade path. An exact fix version number is not independently confirmed from available input data - the advisory must be treated as authoritative. As a compensating control prior to patching, restrict write and provisioning access to catalog zone data to the minimum set of trusted administrative accounts, reducing the pool of principals capable of injecting malformed member zone entries. Additionally, operators not using catalog zone functionality can disable it to eliminate the attack surface entirely, with the trade-off of losing automated secondary provisioning capabilities.

CVE-2016-5427 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . Rated high severity (CVSS 7.5), this

CVE-2016-5426 HIGH
7.5 Sep 21

PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU

CVE-2020-24698 CRITICAL
9.8 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated criti

CVE-2020-24696 HIGH
8.1 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2015-1868 HIGH
7.8 May 18

The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori

CVE-2015-5470 HIGH
7.8 Nov 02

The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)

CVE-2026-42001 HIGH
7.5 May 21

Remote denial of service in PowerDNS Authoritative Server arises from insufficient validation of SOA queries received vi

CVE-2020-24697 HIGH
7.5 Oct 02

An issue was discovered in PowerDNS Authoritative through 4.3.0 when --enable-experimental-gss-tsig is used. Rated high

CVE-2019-10162 HIGH
7.5 Jul 30

A vulnerability has been found in PowerDNS Authoritative Server before versions 4.1.10, 4.0.8 allowing an authorized use

CVE-2018-14626 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerab

CVE-2018-10851 HIGH
7.5 Nov 29

PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excludi

CVE-2026-42000 MEDIUM
6.8 May 21

Integrity compromise in PowerDNS Authoritative Server allows network-positioned attackers to inject unauthorized DNS rec

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-42396 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy