{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-42255", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-26T02:48:44.278Z", "datePublished": "2026-04-26T02:48:44.810Z", "dateUpdated": "2026-04-27T13:31:57.425Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:docker/technitium/dns-server", "product": "DnsServer", "vendor": "Technitium", "versions": [{"lessThan": "15.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-684", "description": "CWE-684 Incorrect Provision of Specified Functionality", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-26T03:10:30.349Z"}, "references": [{"url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#technitium-dns-server-change-log"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:technitium:dnsserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.0.0"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:20:27.700885Z", "id": "CVE-2026-42255", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:31:57.425Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42255", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:20:27.700885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:20:28.762Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Technitium", "product": "DnsServer", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0.0", "versionType": "custom"}], "packageURL": "pkg:docker/technitium/dns-server", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#technitium-dns-server-change-log"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-684", "description": "CWE-684 Incorrect Provision of Specified Functionality"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:technitium:dnsserver:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "15.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-26T03:10:30.349Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42255", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:31:57.425Z", "dateReserved": "2026-04-26T02:48:44.278Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-26T02:48:44.810Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:technitium:dnsserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F14BC9D-C63D-42B6-A0B9-D7FEB8473FD6", "versionEndExcluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Technitium DNS Server before 15.0 allows DNS traffic amplification via cyclic name server delegation."}], "id": "CVE-2026-42255", "lastModified": "2026-04-29T18:54:59.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-26T04:16:05.787", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#technitium-dns-server-change-log"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-684"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,15.0.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "DnsServer", "source": "cna", "vendor": "Technitium"}, "product": "dnsserver", "vendor": "technitium"}], "analysis": {"en": {"generated_at": "2026-04-28T13:27:48.919798+00:00", "value": {"mitigation_remediation": ["Upgrade Technitium DNS Server to version 15.0 or later.", "Apply firewall or IDS rules to limit or filter DNS amplification traffic, such as restricting query sizes or rate\u2011limiting DNS responses.", "Configure the DNS server to prevent cyclic delegation by enforcing a maximum delegation depth or disabling recursive lookups for untrusted zones."], "summary": {"action": "Apply Patch", "impact": "DNS Traffic Amplification"}, "threat_synthesis": {"affected_systems": "Technitium DNS Server versions earlier than 15.0 are affected. Any installation that has not been upgraded to 15.0 or newer is susceptible.", "description_and_impact": "A weakness in Technitium DNS Server permits DNS traffic amplification by exploiting cyclic name server delegation loops. The flaw enables an attacker to send specially crafted queries that trigger a chain of recursive delegations, producing excessive DNS responses that can overwhelm the network. Classified as CWE-684, an application\u2011logic weakness, the vulnerability leads to improper handling of DNS delegation paths and can create denial\u2011of\u2011service conditions.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity, while the EPSS score of less than 1\u202f% suggests that exploitation is currently unlikely. The likely attack vector is network\u2011based; based on the description, it is inferred that an external actor can send crafted DNS requests that trigger the amplification loop, potentially overwhelming the target with traffic. No local privileges or authentication are required."}}}}, "created": "2026-04-27T18:41:59.098572+00:00", "title": "DNS Amplification via Cyclic Name Server Delegation", "updated": "2026-04-28T13:30:32.095232+00:00", "vendors": ["technitium", "technitium$PRODUCT$dnsserver"]}