SB2026052077 - Multiple vulnerabilities in PowerDNS Authoritative
Published: May 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Signal Handler Race Condition (CVE-ID: CVE-2026-42002)
CWE-ID: CWE-364 - Signal Handler Race Condition
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to race conditions in GSS-TSIG code when processing concurrent TKEY queries for the same key. A remote attacker can send concurrent TKEY queries for the same key to cause a denial of service.
Only deployments with gss-tsig support enabled are vulnerable.
2) Resource exhaustion (CVE-ID: CVE-2026-42001)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to missing sanity checks in the initial SOA query response handling when processing an ill-formed answer to an SOA query in autosecondary mode. A remote attacker can send or cause an ill-formed SOA query answer to cause a denial of service.
Exploitation requires the server to be running in autosecondary mode and to receive a notification for a not-yet-known domain.
3) Command injection (CVE-ID: CVE-2026-42000)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to modify backend configuration.
The vulnerability exists due to command injection in Bind backend AXFR name handling when processing an AXFR of a zone with specific contents. A remote attacker can provide a zone transfer containing names with special characters to modify backend configuration.
This issue affects AXFR operations involving the Bind backend and can cause the written configuration to become non-parsable until manual correction is performed.
4) Improper access control (CVE-ID: CVE-2026-41999)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in view selection for TCP PROXY requests when handling a TCP query using the PROXY protocol. A remote attacker can send a TCP query using the PROXY protocol to disclose sensitive information.
When views are enabled, the selected view is based on the proxy address rather than the original client address, which can result in wrong data being returned.
5) Code Injection (CVE-ID: CVE-2026-42396)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to code injection in catalog zone label computation when processing an AXFR of a catalog zone with a member whose producer group option contains a double-quote character. A remote privileged user can provide catalog zone member data containing a double-quote character to cause a denial of service.
This issue causes the catalog zone transfer to fail.
Remediation
Install update from vendor's website.