{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-42254", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-26T02:38:40.734Z", "datePublished": "2026-04-26T02:38:41.261Z", "dateUpdated": "2026-04-27T13:33:50.961Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:cargo/hickory-recursor", "product": "Hickory DNS", "vendor": "Hickory Project", "versions": [{"lessThan": "0.26", "status": "affected", "version": "0.1", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-706", "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-26T03:10:54.172Z"}, "references": [{"url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:18:57.831422Z", "id": "CVE-2026-42254", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:33:50.961Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42254", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:18:57.831422Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:18:58.827Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hickory Project", "product": "Hickory DNS", "versions": [{"status": "affected", "version": "0.1", "lessThan": "0.26", "versionType": "custom"}], "packageURL": "pkg:cargo/hickory-recursor", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-706", "description": "CWE-706 Use of Incorrectly-Resolved Name or Reference"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-26T03:10:54.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42254", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:33:50.961Z", "dateReserved": "2026-04-26T02:38:40.734Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-26T02:38:41.261Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response."}], "id": "CVE-2026-42254", "lastModified": "2026-04-27T18:57:20.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-26T03:15:59.080", "references": [{"source": "cve@mitre.org", "url": "https://github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-706"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0.1,0.26)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hickory DNS", "source": "cna", "vendor": "Hickory Project"}, "product": "hickory_dns", "vendor": "hickory_project"}], "analysis": {"en": {"generated_at": "2026-04-28T05:26:21.418462+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest available version of Hickory DNS recursor (>= 0.26.0) where the known cross\u2011zone poisoning issue has been addressed.", "If an immediate upgrade is not possible, block or restrict external DNS query traffic to the recursor using firewall rules or access control lists, limiting operations to trusted networks only.", "Monitor DNS logs for anomalous or unexpected record insertions and validate that responses correspond to legitimate zone data."], "summary": {"action": "Immediate Patch", "impact": "DNS Cache Poisoning"}, "threat_synthesis": {"affected_systems": "The issue affects the Hickory Project Hickory DNS recursor from version 0.1 up to and including 0.25.2. Any deployment of the recursor within this version range is vulnerable.", "description_and_impact": "The vulnerability allows an attacker to inject malicious data into the recursor\u2019s cache for zones that were not the original query target, enabling the return of forged DNS responses. This can redirect users to malicious sites or disrupt resolution for victim zones. The weakness is a flaw in how cached data is tied to queries (CWE-706). The problem is not a high\u2011severity code execution flaw, but it can degrade trust in DNS resolution in the affected system.", "risk_and_exploitability": "The CVSS score of 4 indicates moderate severity. Exploitation requires only sending crafted DNS requests to the recursor, so the attack vector is the network. The EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw can lead to unauthorized DNS record injection, it poses a tangible risk to the integrity of DNS data in systems that expose the recursor to untrusted networks."}}}}, "created": "2026-04-27T19:52:37.912347+00:00", "title": "Cross\u2011Zone DNS Poisoning in Hickory DNS Recursor", "updated": "2026-04-28T05:30:23.365997+00:00", "vendors": ["hickory_project", "hickory_project$PRODUCT$hickory_dns"]}