CVE-2026-42389 (GCVE-0-2026-42389)
Vulnerability from cvelistv5 – Published: 2026-06-25 13:16 – Updated: 2026-06-25 14:58
VLAI
Title
Reject more queries with invalid header values
Summary
This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- Improper Input Validation
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
Date Public
2026-06-24 22:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T14:58:11.587235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T14:58:17.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.powerdns.com/",
"defaultStatus": "unaffected",
"modules": [
"Web Server"
],
"packageName": "pdns-recursor",
"product": "Recursor",
"programFiles": [
"pdns_recursor.cc"
],
"repo": "https://github.com/PowerDNS/pdns",
"vendor": "PowerDNS",
"versions": [
{
"lessThan": "5.4.3",
"status": "affected",
"version": "5.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Xiang Li, Mingming Zhang, Fasheng Miao, Zuyao Xu from AOSP Lab, Nankai University, Zhongguancun Lab, Tsinghua University"
}
],
"datePublic": "2026-06-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThis fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.\u003c/p\u003e"
}
],
"value": "This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T13:16:45.245Z",
"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"shortName": "OX"
},
"references": [
{
"url": "https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Reject more queries with invalid header values",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"assignerShortName": "OX",
"cveId": "CVE-2026-42389",
"datePublished": "2026-06-25T13:16:45.245Z",
"dateReserved": "2026-04-27T08:53:58.839Z",
"dateUpdated": "2026-06-25T14:58:17.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42389\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T14:58:11.587235Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T14:57:57.948Z\"}}], \"cna\": {\"title\": \"Reject more queries with invalid header values\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Xiang Li, Mingming Zhang, Fasheng Miao, Zuyao Xu from AOSP Lab, Nankai University, Zhongguancun Lab, Tsinghua University\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/PowerDNS/pdns\", \"vendor\": \"PowerDNS\", \"modules\": [\"Web Server\"], \"product\": \"Recursor\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.4.0\", \"lessThan\": \"5.4.3\", \"versionType\": \"semver\"}], \"packageName\": \"pdns-recursor\", \"programFiles\": [\"pdns_recursor.cc\"], \"collectionURL\": \"https://repo.powerdns.com/\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-06-24T22:00:00.000Z\", \"references\": [{\"url\": \"https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-powerdns-2026-08.html\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThis fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"8ce71d90-2354-404b-a86e-bec2cc4e6981\", \"shortName\": \"OX\", \"dateUpdated\": \"2026-06-25T13:16:45.245Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42389\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-25T14:58:17.088Z\", \"dateReserved\": \"2026-04-27T08:53:58.839Z\", \"assignerOrgId\": \"8ce71d90-2354-404b-a86e-bec2cc4e6981\", \"datePublished\": \"2026-06-25T13:16:45.245Z\", \"assignerShortName\": \"OX\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…