Description
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
Published: 2026-06-25
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to forge DNS responses that convince the Recursor that a legitimate authoritative server does not support EDNS. Because the Recursor then rejects or degrades validation of DNSSEC records from that server, any DNSSEC‑protected domain served by the affected authoritative source becomes unresolvable for clients relying on this Recursor, effectively denying access to those domains.

Affected Systems

The flaw is present in PowerDNS Recursor, a DNS recursive resolver used by many organizations to provide name resolution to end users. Any environment that deploys this version of Recursor and forwards queries to authoritative servers vulnerable to the spoof, without proper validation configured, is at risk.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score is not available, so the current exploitation probability is unclear. The vulnerability is not listed in the CISA KEV catalog. The attack can be carried out by injecting malicious DNS replies over the network path between the Recursor and the authoritative server, most likely via UDP or TCP. Once a response is spoofed, the Recursor’s internal state changes to consider that server as non‑EDNS, causing DNSSEC validation failures for subsequent queries. The impact is limited to the affected resolver and its downstream clients, but it can disrupt DNSSEC‑only domain access within an organization.

Generated by OpenCVE AI on June 25, 2026 at 16:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PowerDNS Recursor to the latest release that contains the patch for this DNS reply spoofing issue.
  • Configure the Recursor to enforce strict inbound packet validation, rejecting any DNS responses that do not match the expected EDNS flags or source credentials.
  • Monitor outgoing and incoming DNS traffic for anomalous responses and verify that upstream authoritative servers are correctly configured for EDNS and DNSSEC support.

Generated by OpenCVE AI on June 25, 2026 at 16:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Thu, 25 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-290
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
Title Spoofed answers can mark an authoritative non-EDNS capable
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OX

Published:

Updated: 2026-06-25T14:21:36.692Z

Reserved: 2026-06-08T08:05:31.708Z

Link: CVE-2026-52690

cve-icon Vulnrichment

Updated: 2026-06-25T14:21:27.232Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T15:45:05Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-290

    Authentication Bypass by Spoofing