CVE-2026-42254 Overview
CVE-2026-42254 is a DNS cache poisoning vulnerability affecting Hickory DNS hickory-recursor versions 0.1 through 0.25.2. The vulnerability allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response. This weakness (CWE-706: Use of Incorrectly-Resolved Name or Reference) enables attackers to potentially inject malicious DNS records into the resolver's cache, redirecting legitimate domain lookups to attacker-controlled infrastructure.
Critical Impact
This vulnerability enables cross-zone DNS cache poisoning, allowing attackers to redirect DNS queries for legitimate domains to malicious IP addresses, potentially enabling phishing attacks, credential theft, or malware distribution.
Affected Products
- Hickory DNS hickory-recursor versions 0.1 through 0.25.2
Discovery Timeline
- 2026-04-26 - CVE-2026-42254 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-42254
Vulnerability Analysis
This DNS vulnerability stems from improper cache management in the Hickory DNS recursive resolver component. The core issue is that cached DNS response data is not properly associated with the specific query that originally triggered the response. This architectural flaw allows an attacker to exploit the resolver's caching mechanism to inject malicious DNS records that can affect zones beyond the intended scope of a legitimate query.
In a properly functioning DNS resolver, cached responses should be strictly scoped to the zone and query context that generated them. However, hickory-recursor's implementation fails to maintain this isolation, creating an opportunity for cross-zone cache poisoning attacks.
Root Cause
The root cause is classified under CWE-706 (Use of Incorrectly-Resolved Name or Reference). The hickory-recursor component does not properly bind cached DNS response records to the query context that originally requested them. This allows DNS records from one zone's response to potentially influence or override cached records in unrelated zones, breaking the fundamental security assumption that DNS caches maintain zone isolation.
Attack Vector
The attack is network-based and requires the attacker to craft malicious DNS responses that exploit the cache isolation weakness. While the attack complexity is considered high due to the timing and positioning requirements typical of DNS cache poisoning attacks, no authentication is required. The attacker must be able to send DNS responses that reach the vulnerable resolver, typically by either:
- Positioning themselves on the network path between the resolver and authoritative servers
- Racing to respond to queries faster than legitimate authoritative servers
- Exploiting predictable transaction IDs or ports to inject spoofed responses
Once successful, the poisoned cache entries can redirect DNS lookups for targeted domains, affecting all clients relying on the compromised resolver. The impact is primarily to integrity, as DNS responses for legitimate domains can be manipulated.
Detection Methods for CVE-2026-42254
Indicators of Compromise
- Unexpected DNS cache entries that do not match authoritative records for domains
- DNS responses containing additional records from unrelated zones
- Anomalous DNS query patterns showing resolution to unexpected IP addresses
- Client systems connecting to known-malicious IP addresses after DNS resolution
Detection Strategies
- Implement DNS response validation to verify that cached records match authoritative zone data
- Monitor for DNS cache inconsistencies by comparing resolver cache contents against authoritative sources
- Deploy network-level monitoring to detect DNS response spoofing attempts
- Enable DNSSEC validation where possible to cryptographically verify DNS response authenticity
Monitoring Recommendations
- Log and alert on DNS cache changes for critical domains
- Implement baseline monitoring of DNS resolution patterns to detect anomalies
- Monitor for DNS queries resolving to known-bad IP addresses or unexpected geolocations
- Track resolver performance metrics that might indicate cache manipulation attempts
How to Mitigate CVE-2026-42254
Immediate Actions Required
- Upgrade hickory-recursor to a patched version beyond 0.25.2
- Review DNS cache contents for signs of poisoning
- Consider enabling DNSSEC validation to protect against cache poisoning attacks
- Implement network segmentation to limit exposure of DNS resolvers
Patch Information
Organizations using Hickory DNS hickory-recursor should upgrade from vulnerable versions (0.1 through 0.25.2) to the latest patched release. Detailed patch information and security guidance is available in the GitHub Security Advisory.
Workarounds
- Enable DNSSEC validation to provide cryptographic verification of DNS responses
- Implement source port randomization and transaction ID randomization if not already enabled
- Deploy DNS firewalls or response policy zones (RPZ) to filter suspicious DNS responses
- Consider using DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt DNS traffic and prevent tampering
# Example: Check hickory-recursor version
hickory-dns --version
# If running via cargo, update to latest patched version
cargo update -p hickory-recursor
# Verify DNSSEC is enabled in resolver configuration
# Review your hickory-dns configuration file for DNSSEC settings
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
