CVE-2026-42005

Name	CVE-2026-42005
Description	An attacker can send a web request that causes unlimited memory alloc ...
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-6367-1, DSA-6368-1, DSA-6369-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
dnsdist (PTS)	bullseye	1.5.1-3	vulnerable
	bookworm	1.7.3-2	vulnerable
	trixie	1.9.14-0+deb13u1	vulnerable
	trixie (security)	1.9.15-0+deb13u1	fixed
	forky	2.0.5-2	vulnerable
	sid	2.0.5-3	vulnerable
pdns (PTS)	bullseye	4.4.1-1	vulnerable
	bookworm	4.7.3-2	vulnerable
	trixie	4.9.14-0+deb13u1	vulnerable
	trixie (security)	4.9.16-0+deb13u1	fixed
	forky, sid	5.1.1-3	vulnerable
pdns-recursor (PTS)	bullseye	4.4.2-3	vulnerable
	bookworm, bookworm (security)	4.8.8-1+deb12u1	vulnerable
	trixie	5.2.9-0+deb13u1	vulnerable
	trixie (security)	5.2.11-0+deb13u1	fixed
	forky, sid	5.4.2-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
dnsdist	source	bullseye	(unfixed)	end-of-life
dnsdist	source	bookworm	(unfixed)	end-of-life
dnsdist	source	trixie	1.9.15-0+deb13u1		DSA-6367-1
dnsdist	source	(unstable)	(unfixed)
pdns	source	bullseye	(unfixed)	end-of-life
pdns	source	bookworm	(unfixed)	end-of-life
pdns	source	trixie	4.9.16-0+deb13u1		DSA-6368-1
pdns	source	(unstable)	(unfixed)
pdns-recursor	source	bullseye	(unfixed)	end-of-life
pdns-recursor	source	bookworm	(unfixed)	end-of-life
pdns-recursor	source	trixie	5.2.11-0+deb13u1		DSA-6369-1
pdns-recursor	source	(unstable)	5.3.0-1

Notes

[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
[bookworm] - pdns <end-of-life> (See #1119290)
[bullseye] - pdns <end-of-life> (see DLA 4471)
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42005-unbounded-resource-consumption-in-internal-webserver
Only affects pdns-rec 5.2.x, marking first 5.3 upload as fixed version
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-07.html
https://github.com/PowerDNS/pdns/commit/11e4f2da8259e5070e7a193f48d23ade38b71dc0
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-42005-insufficient-input-validation-of-internal-web-server