CVE-2026-42005

NameCVE-2026-42005
DescriptionAn attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6367-1, DSA-6368-1, DSA-6369-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dnsdist (PTS)bullseye1.5.1-3vulnerable
bookworm1.7.3-2vulnerable
trixie (security), trixie1.9.15-0+deb13u1fixed
forky, sid2.1.0-2fixed
pdns (PTS)bullseye4.4.1-1vulnerable
bookworm4.7.3-2vulnerable
trixie (security), trixie4.9.16-0+deb13u1fixed
forky, sid5.1.3-1fixed
pdns-recursor (PTS)bullseye4.4.2-3vulnerable
bookworm, bookworm (security)4.8.8-1+deb12u1vulnerable
trixie (security), trixie5.2.11-0+deb13u1fixed
forky, sid5.4.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dnsdistsourcebullseye(unfixed)end-of-life
dnsdistsourcebookworm(unfixed)end-of-life
dnsdistsourcetrixie1.9.15-0+deb13u1DSA-6367-1
dnsdistsource(unstable)2.1.0-1
pdnssourcebullseye(unfixed)end-of-life
pdnssourcebookworm(unfixed)end-of-life
pdnssourcetrixie4.9.16-0+deb13u1DSA-6368-1
pdnssource(unstable)5.1.2-1
pdns-recursorsourcebullseye(unfixed)end-of-life
pdns-recursorsourcebookworm(unfixed)end-of-life
pdns-recursorsourcetrixie5.2.11-0+deb13u1DSA-6369-1
pdns-recursorsource(unstable)5.4.3-1

Notes

[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
[bookworm] - pdns <end-of-life> (See #1119290)
[bullseye] - pdns <end-of-life> (see DLA 4471)
[bookworm] - dnsdist <end-of-life> (See #1119290)
[bullseye] - dnsdist <end-of-life> (see #1119290)
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-42005-unbounded-resource-consumption-in-internal-webserver
Only affects pdns-rec 5.2.x, marking first 5.3 upload as fixed version
https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-07.html
https://github.com/PowerDNS/pdns/commit/11e4f2da8259e5070e7a193f48d23ade38b71dc0
https://www.dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2026-09.html#cve-2026-42005-insufficient-input-validation-of-internal-web-server

Search for package or bug name: Reporting problems