Description
Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Incomplete validation of the SOA record present in a catalog zone might lead to a crash. The vulnerability allows an attacker to trigger a denial‑of‑service condition by sending a malformed or unexpected SOA record that is not properly checked before processing. The resulting crash terminates the recursor process, disrupting DNS resolution for clients that rely on it. This weakness primarily affects availability and is an instance of improper input validation (CWE‑20).

Affected Systems

PowerDNS Recursor is affected. No specific version information is provided in the advisory; administrators should verify whether their installed version falls within the range of releases that implement the fix, as documented by PowerDNS.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. The EPSS score is not available, and the vulnerability is currently not listed in CISA’s KEV catalog, suggesting limited evidence of active exploitation. The likely attack vector involves an adversary introducing a vulnerable catalog zone—either via a zone transfer or an authoritative source that the recursor accepts—so the flaw can be triggered by receiving untrusted zone data. While the risk of exploitation is moderate, the absence of widespread exploitation mitigates immediate concern, yet administrators should prepare to remediate promptly if they operate recursors that handle catalog zones.

Generated by OpenCVE AI on June 25, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerDNS Recursor to a version that contains the patch for the SOA record validation flaw.
  • Disable or restrict processing of catalog zones if they are not required, for example by configuring the recursor to reject external zone transfers or ignoring user‑supplied zones.
  • Monitor recursor logs and system events for unexpected crashes or restarts, and set up alerts to detect denial‑of‑service patterns promptly.

Generated by OpenCVE AI on June 25, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6369-1 pdns-recursor security update
History

Fri, 26 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns recursor
Vendors & Products Powerdns
Powerdns recursor

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
Title Missing input validation for catalog zones
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Recursor
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T14:42:18.369Z

Reserved: 2026-04-27T08:53:58.839Z

Link: CVE-2026-42388

cve-icon Vulnrichment

Updated: 2026-06-25T14:42:07.844Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T23:45:04Z

Weaknesses
  • CWE-20

    Improper Input Validation