PowerDNS Fixes Flaws Granting Server Crashes and Memory Corruption

PowerDNS has issued a coordinated set of security advisories addressing multiple vulnerabilities discovered within its Authoritative Server software. The two newly patched flaws expose affected deployments to Denial of Service (DoS) states and memory corruption.

The most critical flaw in the lineup is CVE-2026-42001, which earns a High severity rating. If your server operates in autosecondary mode and receives a notification for a domain it does not know yet, an ill-formed response to the initial SOA query can cause the entire server to crash. It is a textbook Denial of Service (DoS) vulnerability stemming from a simple lack of sanity checks on incoming answers.

The advisory also covers several Medium severity bugs that can easily disrupt daily operations:

• CVE-2026-42002: Concurrency and locking defects in the GSS-TSIG code can let concurrent TKEY queries accidentally share data structures. This leads to memory corruption or unexpected server exits. Furthermore, a lack of bounds on in-flight GSS-TSIG contexts can trigger unbounded memory drain.
• CVE-2026-42000: Missing escaping for special characters (like $ or @) in DNS names during an AXFR operation can generate an unparsable Bind backend configuration. This leaves the backend failing until you manually intervene to fix the config files.
• CVE-2026-42396: If a producer group option contains a double-quote character, a failure to properly escape it will cause the AXFR of a catalog zone to fail entirely.

For those running the 5.0.x branch, CVE-2026-41999 introduces an information disclosure risk. When handling TCP queries using the PROXY protocol, PowerDNS mistakenly selects the database view based on the proxy’s IP address rather than the initial client’s IP. Consequently, the server may serve the wrong data to the requesting client.

Fortunately, there is no risk of full system compromise with any of these flaws. The resolution is simple: upgrade to PowerDNS Authoritative Server 4.9.15 or 5.0.5 to secure your infrastructure. Alternatively, you can temporarily mitigate specific risks by disabling features like GSS-TSIG, autosecondary operations, or views depending on what your configuration requires.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.