Description
Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response.
Published: 2026-04-26
Score: 4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: DNS Cache Poisoning
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to inject malicious data into the recursor’s cache for zones that were not the original query target, enabling the return of forged DNS responses. This can redirect users to malicious sites or disrupt resolution for victim zones. The weakness is a flaw in how cached data is tied to queries (CWE-706). The problem is not a high‑severity code execution flaw, but it can degrade trust in DNS resolution in the affected system.

Affected Systems

The issue affects the Hickory Project Hickory DNS recursor from version 0.1 up to and including 0.25.2. Any deployment of the recursor within this version range is vulnerable.

Risk and Exploitability

The CVSS score of 4 indicates moderate severity. Exploitation requires only sending crafted DNS requests to the recursor, so the attack vector is the network. The EPSS score of less than 1% suggests a low likelihood of real‑world exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw can lead to unauthorized DNS record injection, it poses a tangible risk to the integrity of DNS data in systems that expose the recursor to untrusted networks.

Generated by OpenCVE AI on April 28, 2026 at 05:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of Hickory DNS recursor (>= 0.26.0) where the known cross‑zone poisoning issue has been addressed.
  • If an immediate upgrade is not possible, block or restrict external DNS query traffic to the recursor using firewall rules or access control lists, limiting operations to trusted networks only.
  • Monitor DNS logs for anomalous or unexpected record insertions and validate that responses correspond to legitimate zone data.

Generated by OpenCVE AI on April 28, 2026 at 05:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Title Cross‑Zone DNS Poisoning in Hickory DNS Recursor

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hickory Project
Hickory Project hickory Dns
Vendors & Products Hickory Project
Hickory Project hickory Dns

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 26 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response.
Weaknesses CWE-706
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N'}

Subscriptions

Hickory Project Hickory Dns
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T13:33:50.961Z

Reserved: 2026-04-26T02:38:40.734Z

Link: CVE-2026-42254

cve-icon Vulnrichment

Updated: 2026-04-27T13:18:58.827Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-26T03:15:59.080

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-42254

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T05:30:23Z

Weaknesses