{ "document": { "category": "csaf_vex", "csaf_version": "2.0", "lang": "en-US", "publisher": { "category": "coordinator", "contact_details": "https://www.cisa.gov/report", "issuing_authority": "CISA", "name": "CISA", "namespace": "https://www.cisa.gov/" }, "title": "Technitium DNS Amplification", "tracking": { "current_release_date": "2026-05-19T13:27:24Z", "generator": { "engine": { "name": "VINCE-NT", "version": "1.14.0+build.80" } }, "id": "VA-26-138-02", "initial_release_date": "2026-05-19T13:27:24Z", "status": "final", "version": "1.0.0", "revision_history": [ { "number": "1.0.0", "summary": "Initial publication", "date": "2026-05-19T13:27:24Z" } ] }, "distribution": { "tlp": { "label": "WHITE" } }, "notes": [ { "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).", "title": "Legal Notice", "category": "legal_disclaimer" }, { "text": "Worldwide", "title": "Countries and Areas Deployed", "category": "other" }, { "text": "Information Technology", "title": "Critical Infrastructure Sectors", "category": "other" }, { "text": "Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic.", "title": "Risk Evaluation", "category": "summary" }, { "text": "Fixed in version 15.0.", "title": "Recommended Practices", "category": "general" }, { "text": "United States", "title": "Company Headquarters Location", "category": "other" } ], "references": [ { "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-138-02.json", "summary": "Vulnerability Advisory VA-26-138-02 CSAF", "category": "self" } ] }, "product_tree": { "branches": [ { "category": "vendor", "name": "Technitium", "branches": [ { "category": "product_name", "name": "DNS Server", "branches": [ { "category": "product_version_range", "name": "<15.0", "product": { "name": "Technitium DNS Server <15.0", "product_id": "CSAFPID-0001" } }, { "category": "product_version", "name": "15.0", "product": { "name": "Technitium DNS Server 15.0", "product_id": "CSAFPID-0002" } } ] } ] } ] }, "vulnerabilities": [ { "cve": "CVE-2026-45557", "cwe": { "id": "CWE-405", "name": "Asymmetric Resource Consumption (Amplification)" }, "notes": [ { "category": "summary", "text": "Technitium DNS Server aggressively tries to fetch missing RRSIG records or mismatched DNSKEY records. An attacker in control of a domain can cause a vulnerable system to generate excessive network traffic. Fixed in 15.0.", "title": "Description" }, { "category": "details", "title": "SSVC", "text": "SSVCv2/E:N/A:N/T:P/2026-05-18T22:28:44Z/" } ], "title": "Technitium DNS Server excessive DNSSEC requests", "product_status": { "known_affected": [ "CSAFPID-0001" ], "fixed": [ "CSAFPID-0002" ] }, "references": [ { "category": "external", "summary": "github.com", "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-150" }, { "category": "external", "summary": "raw.githubusercontent.com", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-138-02.json" }, { "category": "external", "summary": "www.cve.org", "url": "https://www.cve.org/CVERecord?id=CVE-2026-45557" } ], "scores": [ { "cvss_v3": { "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1" }, "products": [ "CSAFPID-0001" ] } ], "remediations": [ { "category": "vendor_fix", "details": "Fixed in 15.0.", "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-150", "product_ids": [ "CSAFPID-0001" ], "date": "2026-04-25T00:00:00Z" }, { "category": "vendor_fix", "details": "Fixed in 15.0.", "url": "https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md#version-150", "product_ids": [ "CSAFPID-0002" ], "date": "2026-04-25T00:00:00Z" } ], "acknowledgments": [ { "organization": "Tsinghua University", "names": [ "Shuhan Zhang" ] }, { "organization": "Tsinghua University", "names": [ "Dan Li" ] }, { "organization": "Tsinghua University", "names": [ "Baojun Liu" ] } ], "release_date": "2026-05-18T00:00:00Z" } ] }