RLSA-2026:20589 Important: dnsmasq security update

The dnsmasq packages contain Dnsmasq, a lightweight DNS Domain Name Server forwarder and DHCP Dynamic Host Configuration Protocol server. Security Fixes: dnsmasq: dnsmasq: heap buffer overflow in cache via NAMEESCAPE expansion CVE-2026-2291 dnsmasq: NSEC bitmap parsing infinite loop CVE-2026-4890...

dnsmasq: NSEC bitmap parsing infinite loop

A denial of service vulnerability was discovered in dnsmasq's DNSSEC validation. When parsing NSEC and NSEC3 bitmap records, the window iteration logic fails to account for the 2-byte window header when advancing through the bitmap data. A specially crafted DNS response with a zero-length bitmap...

CVE-2026-42923

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the...

dnsmasq: NSEC bitmap parsing infinite loop

A denial of service vulnerability was discovered in dnsmasq's DNSSEC validation. When parsing NSEC and NSEC3 bitmap records, the window iteration logic fails to account for the 2-byte window header when advancing through the bitmap data. A specially crafted DNS response with a zero-length bitmap...

Important: Red Hat Security Advisory: dnsmasq security update

An update for dnsmasq is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

GHSA-3V94-MW7P-V465 hickory-proto: NSEC3 closest-encloser proof validation enters unbounded loop on cross-zone responses

The NSEC3 closest-encloser proof validation in hickory-proto's 0.25.0-alpha.3 ... 0.25.2 and hickory-net's 0.26.0-alpha.1 .. 0.26.0 DnssecDnsHandle walks from the QNAME up to the SOA owner name, building a list of candidate encloser names. The iterator used assumes the QNAME is a descendant of th...

Astra Linux - уязвимость в unbound, bind9, dnsmasq

The Closest Encloser Proof aspect of the DNS protocol in RFC 5155 when RFC 9276 guidance is skipped allows remote attackers to cause a denial of service CPU consumption for SHA-1 computations via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification...

SUSE CVE-2026-33258

By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC3 caches...

SUSE CVE-2026-33261

A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service...

Linux Distros Unpatched Vulnerability : CVE-2026-33261

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service. CVE-2026-33261 Note that Nessus relies on the presen...

DEBIAN-CVE-2026-33261

A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service...

CVE-2026-33261

A zone transition from NSEC to NSEC3 might trigger an internal inconsistency and cause a denial of service...

CVE-2026-33258

By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC3 caches...

PowerDNS Recursor 安全漏洞

PowerDNS Recursor pdnsrecursor is a domain name resolution server developed by the Dutch company PowerDNS. There is a security vulnerability in PowerDNS Recursor, which can trigger internal inconsistencies due to the region conversion from NSEC to NSEC3, resulting in a denial-of-service attack...

PowerDNS Recursor（pdns_recursor） 安全漏洞

PowerDNS Recursor pdnsrecursor is a domain name resolution server developed by the Dutch company PowerDNS. There is a security vulnerability in PowerDNS Recursor, which stems from the ability of attackers to publish and query specially crafted zones, resulting in the allocation of large entries i...

PT-2026-34322

By publishing and querying a crafted zone an attacker can cause allocation of large entries in the negative and aggressive NSEC3 caches...

SUSE SLED15 / SLES15 Security Update : bind (SUSE-SU-2026:1366-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1366-1 advisory. - CVE-2026-1519: high CPU load during insecure delegation validation due to excessive NSEC3 iterations bsc1260805...

Security update for bind

This update for bind fixes the following issues: CVE-2026-1519: high CPU load during insecure delegation validation due to excessive NSEC3 iterations bsc1260805. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

Excessive NSEC3 iterations cause high CPU load during insecure delegation validation

...

[slackware-security] bind

New bind packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/bind-9.18.47-i586-1slack15.0.txz: Upgraded. This update fixes a security issue: Fix unbounded NSEC3 iterations when validating referrals...