Skip to main content

Technitium DNS Server EUVDEUVD-2026-25688

| CVE-2026-42255 HIGH
Incorrect Provision of Specified Functionality (CWE-684)
2026-04-26 mitre
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

7
Patch released
Apr 29, 2026 - 18:54 nvd
Patch available
Re-analysis Queued
Apr 27, 2026 - 19:07 vuln.today
cvss_changed
Patch available
Apr 26, 2026 - 05:01 EUVD
Analysis Generated
Apr 26, 2026 - 04:30 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 04:15 euvd
EUVD-2026-25688
Analysis Generated
Apr 26, 2026 - 04:15 vuln.today
CVE Published
Apr 26, 2026 - 02:48 nvd
HIGH 7.2

DescriptionCVE.org

Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation.

AnalysisAI

DNS traffic amplification via cyclic nameserver delegation in Technitium DNS Server versions before 15.0 enables unauthenticated remote attackers to conduct distributed denial-of-service (DDoS) attacks. Attackers can exploit misconfigured or maliciously crafted DNS delegation chains to create resolution loops, forcing the server to generate significantly larger response traffic than the initial query size. This amplification can be weaponized against third-party victims, with the vulnerable server acting as an unwitting participant in reflection attacks. CVSS 7.2 (High) reflects network-accessible exploitation requiring no authentication, with cross-scope impact affecting availability and integrity of downstream systems.

Technical ContextAI

This vulnerability affects Technitium DNS Server (cpe:2.3:a:technitium:dnsserver:*:*:*:*:*:*:*:*), an open-source authoritative and recursive DNS server implementation. The root cause is CWE-684 (Incorrect Provision of Specified Functionality), specifically inadequate validation of nameserver delegation chains during recursive resolution. DNS amplification attacks exploit the protocol's UDP-based request-response model where small queries generate disproportionately large responses. Cyclic delegation occurs when nameserver records create circular references (e.g., domain A delegates to nameserver in domain B, which delegates back to domain A), causing recursive resolvers to enter infinite or extended query loops. Without proper cycle detection and loop prevention mechanisms, the server can be manipulated into generating sustained high-volume traffic, making it an effective DDoS amplifier with bandwidth multiplication factors potentially exceeding 50:1.

RemediationAI

Upgrade to Technitium DNS Server version 15.0 or later immediately. Download the patched release from the official GitHub repository (https://github.com/TechnitiumSoftware/DnsServer) or through standard package management channels. Version 15.0 implements enhanced cycle detection in delegation chain processing to prevent infinite resolution loops. For organizations unable to upgrade immediately, implement these compensating controls with their trade-offs: (1) Configure strict rate limiting on recursive queries from untrusted sources-reduces amplification potential but may impact legitimate high-volume clients; (2) Restrict recursive resolution to trusted internal networks only via access control lists, switching to authoritative-only mode for internet-facing instances-eliminates amplification risk but requires separate recursive resolver infrastructure for internal users; (3) Deploy DNS response rate limiting (RRL) to cap outbound response volumes per client-mitigates DDoS impact but may cause false positives during legitimate traffic bursts; (4) Monitor for abnormal query patterns indicative of delegation loops (excessive NXDOMAIN responses, query chains to same domains)-provides detection but no prevention. Note that firewall-based query filtering cannot effectively prevent this as the malicious delegation structure exists in legitimate DNS infrastructure.

Share

EUVD-2026-25688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy