CVE-2026-52690

NameCVE-2026-52690
DescriptionSpoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6369-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pdns-recursor (PTS)bullseye4.4.2-3vulnerable
bookworm, bookworm (security)4.8.8-1+deb12u1vulnerable
trixie (security), trixie5.2.11-0+deb13u1fixed
forky, sid5.4.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pdns-recursorsourcebullseye(unfixed)end-of-life
pdns-recursorsourcebookworm(unfixed)end-of-life
pdns-recursorsourcetrixie5.2.11-0+deb13u1DSA-6369-1
pdns-recursorsource(unstable)5.4.3-1

Notes

[bookworm] - pdns-recursor <end-of-life> (see DSA 6045)
[bullseye] - pdns-recursor <end-of-life> (see DSA 6045)
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2026-08.html#cve-2026-52690-spoofed-answers-can-mark-an-authoritative-non-edns-capable

Search for package or bug name: Reporting problems