CVE-2026-42254: Cross-Zone DNS Cache Poisoning in Hickory DNS Recursor Vulnerability ID: GHSA-83HF-93M4-RGWQ CVSS Score: 4.0 Published: 2026-04-30 The hickory-recursor crate in Hickory DNS contains a cache poisoning vulnerability due to improper record keying and weak bailiwick validation. This allows a malicious nameserver to inject unauthorized NS records for sibling zones into the global DNS cache, hijacking subsequent queries. TL;DR A flaw in hickory-recursor allows attackers controlling a nameserver to poison the DNS cache with unauthorized NS records for sibling zones. This bypasses bailiwick checks and reroutes DNS traffic for victim domains. Users must migrate to hickory-resolver >= 0.26.0.…