External risk intelligence

Attacker can disrupt PowerDNS Authoritative services

CVE advisorySeverity: HIGH (CVSS 7.5)

CVE-2026-42001

A problem in PowerDNS Authoritative can let someone crash the service with specially crafted requests, potentially disrupting internet services. This issue is important now because it affects internet-facing systems.

5Halo Surface Signal

Powerdns Authoritative

4.1.0 to before 4.9.155.0.0 to before 5.0.5

External exposure likelihood

Halo Surface Signal score for CVE-2026-42001

PowerDNS Authoritative is a DNS server designed to be internet-facing to resolve domain queries. As a core infrastructure component, it is commonly deployed in public-facing roles to handle network traffic and domain name resolution, making this service intentionally exposed to the internet.

PCI scan relevance

PCI Relevance for CVE-2026-42001

Yes

CVE-2026-42001 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability may cause a PCI scan failure because it relates to denial-of-service attacks against PowerDNS Authoritative servers.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability involves insufficient validation of specific queries made to the PowerDNS Authoritative DNS server. An attacker could potentially exploit this to disrupt the server's normal operation, impacting its ability to serve DNS requests. It's important to address this to maintain reliable internet services.

  • Affects public-facing DNS servers.
  • Could lead to service disruption.
  • Requires careful attention due to internet exposure.

Attack Path

How an attacker could exploit the issue

An attacker could send specially crafted DNS queries to a vulnerable PowerDNS Authoritative server. The server's insufficient validation of these autoprimary SOA queries could lead to a denial-of-service condition, making the DNS service unavailable to legitimate users.

  • Network access required.
  • Vulnerable to crafted DNS queries.
  • Exploitation causes denial of service.

Live Threat

Current exploitation, exposure, and threat context

The observed vulnerability in PowerDNS Authoritative related to insufficient validation of Autoprimary SOA queries could be attractive to attackers due to its potential impact on DNS resolution services. However, without further information on exploitability, the current threat picture remains uncertain.

  • Attackers may target DNS infrastructure.
  • Specific exploit details are not yet public.
  • Public exploitation is not observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any PowerDNS Authoritative services running versions 4.1.0 through 4.9.14 or 5.0.0 through 5.0.4, as the insufficient validation of Autoprimary SOA queries poses a significant remote denial-of-service risk. Network-facing systems are particularly vulnerable.

  • Upgrade to PowerDNS Authoritative 4.9.15 or 5.0.5.
  • Monitor network traffic for unusual SOA query patterns.
  • Implement rate limiting on DNS queries.

Frequently asked questions

What is PowerDNS Authoritative and what is it used for?

PowerDNS Authoritative is a DNS server software that handles domain name resolution. It's used by organizations to make their websites and online services accessible on the internet by translating human-readable domain names into machine-readable IP addresses.

What kind of weakness does CVE-2026-42001 describe in PowerDNS Authoritative?

CVE-2026-42001 refers to a 'CWE-400: Uncontrolled Resource Consumption' weakness. This means the software doesn't properly manage or limit its use of resources when processing certain types of queries, which can lead to disruptions.

How can an attacker exploit the vulnerability in PowerDNS Authoritative?

An attacker can trigger this vulnerability by sending specially crafted DNS queries related to autoprimary SOA records. The software's failure to validate these queries correctly is what can lead to a denial-of-service condition, disrupting its normal operation.

Who should be concerned about this PowerDNS Authoritative vulnerability?

Organizations running PowerDNS Authoritative, especially those with internet-facing DNS servers, should be concerned. This is because the software is designed to be exposed to the internet to handle domain queries, making it a potential target for disruption.

What is the first step to address the CVE-2026-42001 vulnerability?

The immediate step is to upgrade affected versions of PowerDNS Authoritative to a patched version. Specifically, versions 4.9.15 or 5.0.5 are recommended to fix the insufficient validation of Autoprimary SOA queries.

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified