Description
Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
Published: 2026-05-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw involves insufficient validation of member zone data in PowerDNS Authoritative servers, which can trigger a failure during catalog zone transfers. When a zone transfer is attempted, the server may reject or abort the operation, effectively preventing clients from obtaining updated DNS zone information. This disruption does not compromise data confidentiality or integrity but can interrupt service availability for any client relying on timely zone transfers.

Affected Systems

All installations of the PowerDNS Authoritative server are potentially impacted. No specific affected versions are listed, so any deployment of the PowerDNS authoritative component should be considered at risk until a patch is applied.

Risk and Exploitability

With a CVSS score of 4.9 the risk is moderate. The EPSS score is less than 1%, and the vulnerability is not listed in CISA KEV, indicating no widely documented exploitation. The attack vector is inferred to be remote, via normal DNS traffic, since any client can initiate a catalog transfer. Exploitation would result in denial of zone transfer and degraded DNS service rather than credential compromise or data theft.

Generated by OpenCVE AI on May 21, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the PowerDNS patch that addresses the vulnerability, eliminating the improper input validation flaw. Upgrading mitigates the risk of catalog zone transfer failures.
  • Enable strict zone data validation features or disable dynamic code execution in the parsing logic to counteract the code injection weakness (CWE-94), preventing attackers from causing transfer failures through crafted data.
  • Restrict AXFR/IXFR requests to known, trusted IP addresses and monitor failed transfer attempts to detect exploitation attempts.

Generated by OpenCVE AI on May 21, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6284-1 pdns security update
History

Thu, 21 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 21 May 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Powerdns
Powerdns authoritative
Weaknesses CWE-20
Vendors & Products Powerdns
Powerdns authoritative

Thu, 21 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
Title Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Powerdns Authoritative
cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-05-21T12:03:16.000Z

Reserved: 2026-04-27T08:53:58.839Z

Link: CVE-2026-42396

cve-icon Vulnrichment

Updated: 2026-05-21T12:03:10.266Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-21T10:16:25.927

Modified: 2026-05-21T15:27:51.530

Link: CVE-2026-42396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T17:30:15Z

Weaknesses