SB20260625205 - Multiple vulnerabilities in PowerDNS Recursor
Published: June 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Acceptance of Extraneous Untrusted Data With Trusted Data (CVE-ID: CVE-2026-33612)
CWE-ID: CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to poison the cache.
The vulnerability exists due to acceptance of extraneous untrusted data in the ZoneToCache function when processing a crafted zone. A remote attacker can send a crafted zone to poison the cache.
Only configurations that use ZoneToCache are vulnerable.
2) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2026-40012)
CWE-ID: CWE-668 - Exposure of resource to wrong sphere
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to exposure of resource to wrong sphere in the packet cache when handling ECS-enabled queries. A remote attacker can send queries using a specific ECS to disclose sensitive information.
Only configurations with ECS enabled are vulnerable.
3) Insufficient verification of data authenticity (CVE-ID: CVE-2026-42390)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass ZONEMD validation.
The vulnerability exists due to improper verification of cryptographic signature in ZONEMD validation when processing a crafted zone. A remote attacker can send a crafted zone to bypass ZONEMD validation.
This is only relevant if ZoneToCache is configured with ZONEMD validation.
4) Input validation error (CVE-ID: CVE-2026-42388)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in catalog zone SOA record handling when processing a crafted catalog zone. A remote attacker can send a crafted catalog zone to cause a denial of service.
Only configurations with catalog zones enabled are vulnerable.
5) Input validation error (CVE-ID: CVE-2026-42387)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the ZoneToCache function when processing a crafted zone containing an invalid RRSIG record. A remote attacker can send a crafted zone to cause a denial of service.
Only configurations that use ZoneToCache are vulnerable.
6) Authentication Bypass by Spoofing (CVE-ID: CVE-2026-52690)
CWE-ID: CWE-290 - Authentication Bypass by Spoofing
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to authentication bypass by spoofing in EDNS capability tracking for authoritative servers when processing spoofed replies. A remote attacker can spoof replies to cause a denial of service.
The issue can cause DNSSEC validation of zones served by the targeted authoritative server to fail.
7) Input validation error (CVE-ID: CVE-2026-42389)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to poison the cache.
The vulnerability exists due to improper input validation in incoming answers from authoritative servers when processing crafted replies with invalid header values. A remote attacker can send spoofed crafted replies to poison the cache.
Exploitation requires massive spoofing attempts.
Remediation
Install update from vendor's website.