Description
Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.
Published: 2026-05-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Technitium DNS Server contains a logic flaw that causes it to repeatedly request missing RRSIG records or mismatched DNSKEY records. An attacker who controls a domain can trigger these excessive queries and generate a large volume of outbound DNS traffic from the server. The result is network resource exhaustion, which effectively denies legitimate DNS request processing or degrades service availability. The weakness aligns with CWE-405 (Denial of Service) and CWE-406 (Resource Exhaustion).

Affected Systems

All instances of Technitium DNS Server running a version earlier than 15.0 are affected. Version 15.0 introduces a fix that limits the number of DNSSEC requests issued for the same domain. Other older releases therefore retain the vulnerability and should be upgraded.

Risk and Exploitability

The CVSS score of 6.9 places this flaw in the moderate‑high severity range. Although EPSS data is unavailable, the lack of a KEV listing indicates that no widespread public exploits are known. Nevertheless, the attack vector is straightforward: the attacker only needs to control a domain that the server will query. Once the DNS record is propagated, the server will continuously send DNSSEC requests until internal limits are reached, providing a reliable denial‑of‑service mechanism.

Generated by OpenCVE AI on May 19, 2026 at 15:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Technitium DNS Server to version 15.0 or later to apply the DNSSEC request limit fix.
  • Ensure DNSSEC validation remains enabled and properly configured so the server does not attempt unnecessary queries.
  • Monitor outgoing DNS traffic for sudden spikes in RRSIG or DNSKEY requests and consider applying rate‑limiting or firewall rules to contain abuse.

Generated by OpenCVE AI on May 19, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Technitium
Technitium dns Server
Vendors & Products Technitium
Technitium dns Server

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.
Title Technitium DNS Server excessive DNSSEC requests
Weaknesses CWE-405
CWE-406
CWE-770
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L'}

Subscriptions

Technitium Dns Server
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-05-19T14:57:56.327Z

Reserved: 2026-05-12T18:08:43.759Z

Link: CVE-2026-45557

cve-icon Vulnrichment

Updated: 2026-05-19T14:57:51.499Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T15:16:31.640

Modified: 2026-05-19T17:57:25.143

Link: CVE-2026-45557

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:45:08Z

Weaknesses