CVE-2026-33190

CoreDNS TSIG authentication bypass vulnerability (CVE-2026-33190) affects versions prior to 1.14.3 on non-plain-DNS transports. The tsig plugin trusts the transport writer’s TsigStatus() instead of verifying TSIG itself, causing unauthenticated remote access over DoT, DoH, DoH3, DoQ, and gRPC. Do...

GHSA-QHMP-Q7XH-99RH CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC

Summary CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG NOTAUTH, while the same invalid-TSIG request is accepted ove...

CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC

Summary CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG NOTAUTH, while the same invalid-TSIG request is accepted ove...

CVE-2026-33596

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend...

CVE-2026-33596 TCP backend stream ID overflow

A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed queries that are routed to a TCP-only or DNS over TLS backend...

EUVD-2023-54109

Malicious code in bioql PyPI...

EUVD-2022-24523

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2023-4236

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal da...

NewStart CGSL MAIN 7.02 : bind Multiple Vulnerabilities (NS-SA-2025-0108)

The remote NewStart CGSL host, running version MAIN 7.02, has bind packages installed that are affected by multiple vulnerabilities: - If a server hosts a zone containing a KEY Resource Record, or a resolver DNSSEC-validates a KEY Resource Record from a DNSSEC-signed domain in cache, a client can...

Quantum-Resistant Domain Name System: a Comprehensive System-Level Study

The Domain Name System DNS plays a foundational role in Internet infrastructure, yet its core protocols remain vulnerable to compromise by quantum adversaries. As cryptographically relevant quantum computers become a realistic threat, ensuring DNS confidentiality, authenticity, and integrity in t...

OESA-2024-2233 unbound security update

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most...

Advisory ROSA-SA-2024-2459

Software: systemd 239 OS: ROSA Virtualization 2.1 packageevrstring: systemd-239 CVE-ID: CVE-2018-21029 BDU-ID: None CVE-Crit: CRITICAL. CVE-DESC.: systemd accepts any certificate signed by a trusted certificate authority for DNS Over TLS. No server name indication SNI is sent, and there is no...

ROS-20240611-12

Vulnerability of the named DNS server daemon BIND is related to an operation overrunning the buffer boundaries in memory as a result of recursion during processing of received packets. as a result of uncontrolled recursion when processing received packets. Exploitation of the vulnerability could...

CVE-2024-25581

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer AXFR or IXFR over DNS over HTTPS, causing the process to stop...

CVE-2024-25581

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer AXFR or IXFR over DNS over HTTPS, causing the process to stop...

CVE-2024-25581

DNSDIST vulnerability CVE-2024-25581: When DNS over HTTPS is enabled (nghttp2 provider) and queries are routed to a tcp-only or DoT backend, an attacker can trigger an assertion failure by requesting a zone transfer (AXFR/IXFR) over DoH, causing the process to crash and a DoS. DoH is not enabled ...

CVE-2024-25581 Transfer requests received over DoH can lead to a denial of service in DNSdist

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer AXFR or IXFR over DNS over HTTPS, causing the process to stop...

CVE-2024-25581

When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer AXFR or IXFR over DNS over HTTPS, causing the process to stop...

Fedora 40 : bind / bind-dyndb-ldap (2023-687525fcca)

The remote Fedora 40 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-687525fcca advisory. BIND 9.18.19 Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet- parsing code to run o...

Fedora 39 : bind / bind-dyndb-ldap (2023-b4acb0f7c6)

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-b4acb0f7c6 advisory. BIND 9.18.19 Security Fixes - Previously, sending a specially crafted message over the control channel could cause the packet- parsing code to run o...