Skip to main content

Technitium DNS Server CVE-2026-45557

| EUVDEUVD-2026-30938 MEDIUM
Asymmetric Resource Consumption (Amplification) (CWE-405)
2026-05-19 cisa-cg GHSA-vpfg-gc96-vg45
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 19, 2026 - 15:22 NVD
5.8 (MEDIUM) 6.9 (MEDIUM)
Analysis Generated
May 19, 2026 - 15:02 vuln.today

DescriptionCVE.org

Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.

AnalysisAI

Technitium DNS Server performs amplified outbound DNS traffic when processing domains with missing RRSIG records or mismatched DNSKEY records - an attacker who controls any domain can exploit this behavior to force the resolver into generating excessive network queries against third-party infrastructure. All versions prior to 15.0 are affected per the vendor CPE listing (cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:*). The CVSS Changed Scope (S:C) confirms that impact extends beyond the vulnerable server itself, affecting downstream network resources and other systems. No public exploit code has been identified at time of analysis, and this vulnerability is not currently listed in the CISA KEV catalog.

Technical ContextAI

CWE-405 (Asymmetric Resource Consumption / Amplification) describes the root cause: the server expends disproportionately more resources - outbound DNS queries - than the cost to trigger them. The vulnerability is rooted in DNSSEC validation logic. RRSIG records are cryptographic signatures over DNS resource record sets, and DNSKEY records hold the public keys used to verify those signatures. Technitium DNS Server's resolver, when encountering an authoritative zone with absent or mismatched DNSSEC records, aggressively re-fetches rather than failing gracefully or capping retry attempts. This design flaw transforms any attacker-controlled zone into a traffic amplification lever, directing disproportionate query load from the resolver outward. The CPE cpe:2.3:a:technitium:dns_server:*:*:*:*:*:*:*:* indicates all versions of the Technitium DNS Server application are in scope, without version-range exclusions prior to the fix.

RemediationAI

Upgrade Technitium DNS Server to version 15.0 or later, which contains the vendor-confirmed fix per the official changelog at https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-150. If immediate upgrade is not possible, consider rate-limiting outbound DNSSEC-related query retries at the network perimeter using firewall egress policies or DNS firewall rules to cap per-domain retry volume - this reduces amplification potential but may cause DNSSEC validation failures for legitimate zones with transient record issues, which is a notable trade-off. Restricting recursive resolution to trusted client IP ranges (disabling open resolver behavior) limits the attack surface by preventing arbitrary external actors from inducing resolution of attacker-controlled domains, though this does not eliminate the risk if internal clients can be manipulated. Monitoring for anomalous outbound DNS query spikes toward unfamiliar authoritative nameservers can serve as a detection compensating control.

Share

CVE-2026-45557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy