Description
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A malicious authoritative DNS server can send a specially crafted zone to the PowerDNS Recursor using the ZoneToCache function. The Recursor lacks proper input validation for zone data, causing the program to crash. The crash results in a denial of service for services relying on the Recursor, as the process terminates and must be restarted to resume normal operation. This weakness is a classic example of insufficient input validation leading to a loss of availability.

Affected Systems

The vulnerability affects the PowerDNS Recursor software. No specific affected releases are listed, so any deployed instance that has not applied the later correction is potentially vulnerable. Administrators should verify the Recursor – or any derivative product – against the vendor advisory for a fix that addresses the input validation issue.

Risk and Exploitability

The CVSS score of 5.9 indicates medium severity, while the EPSS score is not available, making it difficult to gauge current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, suggesting limited widespread exploitation at the time of analysis. The attack vector is inferred to be Externally Network – a rogue authoritative server on the network can trigger the flaw. An attacker would need only to serve a crafted zone to a Recursor instance that accepts the ZoneToCache request. The result would be a disruption of DNS resolution services, potentially affecting multiple end users.

Generated by OpenCVE AI on June 25, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PowerDNS Recursor update that contains the input validation fix
  • Configure firewall rules to block ZoneToCache requests from untrusted or unknown authoritative servers
  • Monitor Recursor logs for abnormal zone transactions and trigger alert on unexpected crashes

Generated by OpenCVE AI on June 25, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6369-1 pdns-recursor security update
History

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
Title Insufficient input validation in ZoneToCache
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T14:41:46.920Z

Reserved: 2026-04-27T08:53:58.838Z

Link: CVE-2026-42387

cve-icon Vulnrichment

Updated: 2026-06-25T14:41:43.087Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:00:12Z

Weaknesses
  • CWE-20

    Improper Input Validation