What is CVE-2026-42254?

CVE-2026-42254 is a medium-severity vulnerability in Hickory Project Dns, classified under Use of Incorrectly-Resolved Name or Reference. CVSS score: 4.0/10. Published 2026-04-26.

How severe is CVE-2026-42254?

Medium severity. CVSS v3 base score is 4.0 out of 10.

Vulnerability in Hickory Project Dns

CVE-2026-42254

Hickory DNS hickory-recursor 0.1 through 0.25.2 allows cross-zone poisoning because cached data is not directly associated with a query that triggered a response.

EPSS: 0.000 (12.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.0 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N.

Affected products

Hickory Project Dns — versions 0.1

Weakness classification (CWE)

CWE-706 — Use of Incorrectly-Resolved Name or Reference

References

github.com/hickory-dns/hickory-dns/security/advisories/GHSA-83hf-93m4-rgwq

Frequently asked questions

What is CVE-2026-42254?: CVE-2026-42254 is a medium-severity vulnerability in Hickory Project Dns, classified under Use of Incorrectly-Resolved Name or Reference. CVSS score: 4.0/10. Published 2026-04-26.
How severe is CVE-2026-42254?: Medium severity. CVSS v3 base score is 4.0 out of 10.