SB2026052101 - Debian update for pdns

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026052101

SB2026052101 - Debian update for pdns

Published: May 21, 2026

Security Bulletin ID SB2026052101
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Command injection (CVE-ID: CVE-2026-42000)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to modify backend configuration.

The vulnerability exists due to command injection in Bind backend AXFR name handling when processing an AXFR of a zone with specific contents. A remote attacker can provide a zone transfer containing names with special characters to modify backend configuration.

This issue affects AXFR operations involving the Bind backend and can cause the written configuration to become non-parsable until manual correction is performed.


2) Resource exhaustion (CVE-ID: CVE-2026-42001)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to missing sanity checks in the initial SOA query response handling when processing an ill-formed answer to an SOA query in autosecondary mode. A remote attacker can send or cause an ill-formed SOA query answer to cause a denial of service.

Exploitation requires the server to be running in autosecondary mode and to receive a notification for a not-yet-known domain.


3) Signal Handler Race Condition (CVE-ID: CVE-2026-42002)

CWE-ID: CWE-364 - Signal Handler Race Condition

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to race conditions in GSS-TSIG code when processing concurrent TKEY queries for the same key. A remote attacker can send concurrent TKEY queries for the same key to cause a denial of service.

Only deployments with gss-tsig support enabled are vulnerable.


4) Code Injection (CVE-ID: CVE-2026-42396)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to code injection in catalog zone label computation when processing an AXFR of a catalog zone with a member whose producer group option contains a double-quote character. A remote privileged user can provide catalog zone member data containing a double-quote character to cause a denial of service.

This issue causes the catalog zone transfer to fail.


Remediation

Install update from vendor's website.

References