Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Network spoofing attack with no privileges; AC:H reflects DNS reply race/injection requirement; availability-only impact as DNSSEC validation failure disrupts resolution.
Primary rating from Vendor (OX).
CVSS VectorVendor: OX
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
AnalysisAI
DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be in a network position to inject or race-spoof DNS UDP replies toward the PowerDNS Recursor, spoofing the source IP of a legitimate authoritative server - this is a non-default capability requiring either on-path access, a compromised intermediate device, or exploitation of a lack of BCP38 anti-spoofing enforcement. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.9 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H is broadly consistent with the described attack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to inject or spoof DNS packets on the network path between the PowerDNS Recursor and a targeted authoritative server sends a forged DNS reply that mimics the authoritative server's IP but signals absence of EDNS support. The Recursor updates its internal state to mark that server as EDNS-incapable, disabling DNSSEC validation for all zones hosted on it. … |
| Remediation | The primary remediation is to apply the patch or upgrade to the fixed version of PowerDNS Recursor as specified in the vendor advisory at https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of response
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulne
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]
An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authori
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth)
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high sever
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN respo
An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigge
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: ModerateShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39360
GHSA-c2h5-7f6m-jqmp