Cross-Zone Poisoning Vulnerability in Hickory DNS Recursor by Hickory
CVE-2026-42254

4MEDIUM

Key Information:

Vendor: Hickory Project
Status: Hickory Dns
Vendor: CVE Published:; 26 April 2026

🔔 Create Hickory Project Vulnerability Alert

What is CVE-2026-42254?

The Hickory DNS hickory-recursor versions ranging from 0.1 to 0.25.2 are affected by a cross-zone poisoning vulnerability. This flaw arises from the failure to associate cached data directly with the specific query that elicited a response, enabling potential attackers to manipulate cached DNS responses across different zones. This vulnerability could allow unauthorized access to sensitive information or impact the integrity of DNS responses, posing significant risks to the systems utilizing this recursor.

Affected Version(s)

Hickory DNS 0.1 < 0.26

References

https://github.com/hickory-dns/hickory-dns/security/advis...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 26, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42254 Data

JSON