CVE-2026-42254: Cross-Zone DNS Cache Poisoning in Hickory DNS Recursor
Vulnerability ID: GHSA-83HF-93M4-RGWQ
CVSS Score: 4.0
Published: 2026-04-30
The hickory-recursor crate in Hickory DNS contains a cache poisoning vulnerability due to improper record keying and weak bailiwick validation. This allows a malicious nameserver to inject unauthorized NS records for sibling zones into the global DNS cache, hijacking subsequent queries.
TL;DR
A flaw in hickory-recursor allows attackers controlling a nameserver to poison the DNS cache with unauthorized NS records for sibling zones. This bypasses bailiwick checks and reroutes DNS traffic for victim domains. Users must migrate to hickory-resolver >= 0.26.0.
Technical Details
- CWE ID: CWE-706, CWE-441
- Attack Vector: Network
- CVSS Base Score: 4.0 (Medium)
- EPSS Score: 0.00029 (8.14%)
- Impact: DNS traffic hijacking via cache poisoning
- Exploit Status: None known in the wild
- KEV Status: Not Listed
Affected Systems
- Hickory DNS (hickory-recursor experimental crate)
-
hickory-recursor: <= 0.25.2 (Fixed in:
hickory-resolver >= 0.26.0)
Mitigation Strategies
- Remove the hickory-recursor crate from all project dependencies.
- Migrate to the hickory-resolver crate version 0.26.0 or later.
- Enable the 'recursor' feature flag in hickory-resolver if recursive resolution is required.
Remediation Steps:
- Audit Cargo.toml and Cargo.lock files to identify usage of hickory-recursor.
- Replace the hickory-recursor dependency with hickory-resolver >= 0.26.0.
- Update application configuration to specify the
features = ["recursor"]flag for hickory-resolver. - Recompile the application and deploy the updated binaries.
- Flush any active DNS caches that may have been operating under the vulnerable version.
References
Read the full report for GHSA-83HF-93M4-RGWQ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)