5.9
CVE-2026-33262 - Insufficient validation of cookie reply
An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default.
5.9
CVE-2026-33261 - Null pointer accces in aggressive NSEC(3) cache
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service.
5.3
CVE-2026-33260 - Insufficient input validation of internal webserver
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default.
5
CVE-2026-33259 - Concurrent modification of RPZ data can lead to denial of servce
Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider.
5.3
CVE-2026-33258 - Crafted zones can cause increased resource usage
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches.