SB20260513114 - Debian update for pdns-recursor

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260513114

SB20260513114 - Debian update for pdns-recursor

Published: May 13, 2026

Security Bulletin ID SB20260513114
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 57% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33257)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in internal web server when handling crafted HTTP requests. A remote attacker can send a crafted HTTP request to cause a denial of service.

Note, the internal web server is disabled by default.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33258)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in negative and aggressive NSEC(3) caches when processing crafted zones and DNS responses. A remote attacker can publish and query a crafted zone to cause a denial of service.


3) Use-after-free (CVE-ID: CVE-2026-33259)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to use-after-free in RPZ data handling when processing many concurrent transfers of the same RPZ. A remote privileged user can trigger many concurrent transfers of the same RPZ to cause a denial of service.

Exploitation normally requires a malfunctioning RPZ provider.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-33260)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource allocation in internal web server when handling crafted HTTP requests. A remote attacker can send a crafted HTTP request to cause a denial of service.

Note. the internal web server is disabled by default.


5) Missing support for integrity check (CVE-ID: CVE-2026-33261)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to internal inconsistency in aggressive NSEC(3) cache when a zone transitions from NSEC to NSEC3. A remote attacker can trigger a zone transition from NSEC to NSEC3 to cause a denial of service.


6) NULL pointer dereference (CVE-ID: CVE-2026-33600)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to null pointer dereference in RPZ transfer handling when processing a crafted RPZ from a malicious authoritative server. A remote privileged user can send a crafted RPZ to cause a denial of service.


7) NULL pointer dereference (CVE-ID: CVE-2026-33601)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to null pointer dereference in zoneToCache ZONEMD record handling when processing a crafted zonemd record from a malicious authoritative server. A remote privileged user can send a crafted zonemd record to cause a denial of service.

Exploitation requires the zoneToCache function to be configured.


Remediation

Install update from vendor's website.

References