PowerDNS Blog

PowerDNS Security Advisory 2026-06 for PowerDNS Authoritative Server

Written by Peter van Dijk | May 20, 2026 1:02:52 PM

Today, we are releasing two new versions of the PowerDNS Authoritative Server.

These 4.9.15 and 5.0.5 versions provide fixes for the following PowerDNS Security Advisory: PowerDNS Security Advisory 2026-06: Multiple Issues

The security issues being fixed with these releases are low or medium-severity, and most of them involve specific back-ends and/or configurations. They are:

  • CVE-2026-41999 (only concerns 5.0.x)
    When using views, queries sent using TCP Proxy Protocol will select the view according to the address of the proxy, rather than the address of the initial query. This can lead to wrong data being returned.

  • CVE-2026-42000
    Missing escaping of special characters (such as $ or @) in DNS names received during an AXFR operation can lead to an incorrect (non-parseable) Bind backend configuration to be written, causing this backend to fail until manual operation is performed to fix the configuration.
  • CVE-2026-42001
    Missing sanity checks of the answer to the initial SOA query, when running in auto-secondary mode and receiving a notification for an not-yet-known domain may cause the server to crash.
  • CVE-2026-42002
    Multiple concurrency and locking defects in the GSS-TSIG code can lead to memory corruption due to accidental data structure sharing, which can in turn lead to a program crash.
    Moreover, the lack of bounds on the number of in-flight GSS-TSIG contexts can lead to unbounded memory consumption in case of an excessive number of requests at a given time. A limit of 1000 contexts is now enforced, and can be modified with the "gss-max-contexts" parameter in server configuration.
  • CVE-2026-42396
    Missing proper escaping of double-quote characters when computing labels will cause AXFR of a catalog zone with a member whose producer group option contains such a character to fail.

A detailed list of changes can be found in the Changelogs (4.9.15, 5.0.5).

Please make sure to read the Upgrade Notes before upgrading.

The tarballs (4.9.155.0.5) and their signatures (4.9.15, 5.0.5) are available at downloads.powerdns.com. Packages for various distributions are available from repo.powerdns.com.

Please send us all feedback and issues you might have via the mailing list, or in case of a bug, via GitHub.
View full post