Search for packages
| purl | pkg:deb/debian/pdns-recursor@5.2.8-0%2Bdeb13u1 |
| Next non-vulnerable version | 5.2.9-0+deb13u1 |
| Latest non-vulnerable version | 5.4.1-1 |
| Risk | 1.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-26wf-1bqp-sbff
Aliases: CVE-2026-33601 |
If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-5afe-ws96-nqh9
Aliases: CVE-2026-33258 |
By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-anab-r9ty-1yh1
Aliases: CVE-2026-33600 |
An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-chzq-qej6-rkdq
Aliases: CVE-2026-33257 |
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k3re-ss39-zugm
Aliases: CVE-2026-33262 |
An attacker can send replies that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. Cookies are disabled by default. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-mzne-k7ry-pubm
Aliases: CVE-2026-33259 |
Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-pfhu-1qdf-p7d5
Aliases: CVE-2026-33260 |
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-v9yz-hcqv-83gu
Aliases: CVE-2026-33261 |
A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xasd-r2rc-2ufq
Aliases: CVE-2026-33256 |
An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-26wf-1bqp-sbff | If you use the zoneToCache function with a malicious authoritative server, an attacker can send a zone that result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
CVE-2026-33601
|
| VCID-2ugc-uygs-hqb8 | Crafted delegations or IP fragments can poison cached delegations in Recursor. |
CVE-2025-59024
|
| VCID-5afe-ws96-nqh9 | By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC(3) caches. |
CVE-2026-33258
|
| VCID-anab-r9ty-1yh1 | An RPZ sent by a malicious authoritative server can result in a null pointer dereference, caused by a missing consistency check and leading to a denial of service. |
CVE-2026-33600
|
| VCID-cdzz-8tc8-jucu | Crafted delegations or IP fragments can poison cached delegations in Recursor. |
CVE-2025-59023
|
| VCID-chzq-qej6-rkdq | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
CVE-2026-33257
|
| VCID-m445-c6a1-uugf | Crafted zones can lead to increased resource usage and crafted CNAME chains can lead to cache poisoning in Recursor. |
CVE-2026-0398
|
| VCID-mzne-k7ry-pubm | Having many concurrent transfers of the same RPZ can lead to inconsistent RPZ data, use after free and/or a crash of the recursor. Normally concurrent transfers of the same RPZ zone can only occur with a malfunctioning RPZ provider. |
CVE-2026-33259
|
| VCID-pfhu-1qdf-p7d5 | An attacker can send a web request that causes unlimited memory allocation in the internal web server, leading to a denial of service. The internal web server is disabled by default. |
CVE-2026-33260
|
| VCID-pjbp-1jgm-s3cg | Crafted zones can lead to increased incoming network traffic. |
CVE-2026-24027
|
| VCID-umcq-ztbz-qfb2 | An attacker can trigger the removal of cached records by sending a NOTIFY query over TCP. |
CVE-2025-59030
|
| VCID-v9yz-hcqv-83gu | A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. |
CVE-2026-33261
|
| VCID-wywf-pmyt-zud4 | An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled. |
CVE-2025-30192
|