CVE-2026-42389
- EPSS 0.18%
- Veröffentlicht 25.06.2026 13:16:45
- Zuletzt bearbeitet 25.06.2026 16:16:35
This fix provides extra hardening for the 5.4.x branch by doing extra validation of incoming answers from authoritative servers.
CVE-2026-52690
- EPSS 0.35%
- Veröffentlicht 25.06.2026 13:01:40
- Zuletzt bearbeitet 25.06.2026 15:59:47
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail.
CVE-2026-42390
- EPSS 0.21%
- Veröffentlicht 25.06.2026 13:01:08
- Zuletzt bearbeitet 25.06.2026 15:59:47
An invalid zone might pass ZONEMD validation while it should not. This is only relevant if ZoneToCache is configured with ZONEMD validation.
CVE-2026-42388
- EPSS 0.4%
- Veröffentlicht 25.06.2026 12:59:38
- Zuletzt bearbeitet 25.06.2026 16:16:35
Incomplete validation of the SOA record present in a catalog zone might lead to a crash.
CVE-2026-42387
- EPSS 0.4%
- Veröffentlicht 25.06.2026 12:59:16
- Zuletzt bearbeitet 25.06.2026 16:16:35
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to a crash of the Recursor due to insuffcient input validation.
CVE-2026-40012
- EPSS 0.31%
- Veröffentlicht 25.06.2026 12:58:51
- Zuletzt bearbeitet 25.06.2026 16:16:35
ECS zero scoped answers are stored in the packet cache while they should not. This impacts only configurations that have ECS enabled;
CVE-2026-33612
- EPSS 0.12%
- Veröffentlicht 25.06.2026 12:58:27
- Zuletzt bearbeitet 25.06.2026 16:00:30
A malicious authoritative server can send a crafted zone via the ZoneToCache function that leads to cache poisoning.
CVE-2026-33601
- EPSS 0.51%
- Veröffentlicht 22.04.2026 10:16:52
- Zuletzt bearbeitet 27.04.2026 16:58:57
If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service.
CVE-2026-33256
- EPSS 0.61%
- Veröffentlicht 22.04.2026 10:16:51
- Zuletzt bearbeitet 27.04.2026 17:04:04
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
CVE-2026-33257
- EPSS 0.51%
- Veröffentlicht 22.04.2026 10:16:51
- Zuletzt bearbeitet 27.04.2026 17:03:56
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.