Description
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An invalid DNS zone can satisfy ZONEMD validation checks, causing the PowerDNS Recursor to accept and cache incorrect authoritative data. This flaw is a logic error in the validation routine and does not provide code execution or privilege escalation, but it undermines the integrity of the recursor’s cached information and can lead to DNS spoofing or cache poisoning.

Affected Systems

The vulnerability affects the PowerDNS Recursor component. Any deployment that enables the ZoneToCache feature with ZONEMD validation is potentially vulnerable; the advisory does not list specific product versions.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, so no known public exploits are reported. Based on the description, it is inferred that the attack vector is a network‑based DNS query that delivers a crafted zone to a recursor configured with ZONEMD validation. The practical risk remains moderate until a patch is applied.

Generated by OpenCVE AI on June 25, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PowerDNS Recursor release that contains the ZONEMD validation bug fix.
  • If the ZoneToCache feature is not required, disable ZONEMD validation in the recursor’s configuration to remove the validation path.
  • Monitor DNS traffic for unexpected or malformed zone data and verify cache consistency if the vulnerability is suspected.
  • If immediate patching is not possible, limit exposure by ensuring the recursor is only reachable from trusted networks or firewalls that block unsolicited zone transfer queries.

Generated by OpenCVE AI on June 25, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-682

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
Title ZONEMD validation can be bypassed
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T14:25:44.416Z

Reserved: 2026-04-27T08:53:58.839Z

Link: CVE-2026-42390

cve-icon Vulnrichment

Updated: 2026-06-25T14:25:26.858Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T16:15:15Z

Weaknesses