Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-33278 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-33278 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

A critical memory vulnerability in NLnet Labs Unbound versions 1.19.1 through 1.25.0 affects the DNSSEC validator component, exposing DNS resolvers to denial of service and potential remote code execution.

Technical Detail

The flaw resides in the DNSSEC validation logic, where Unbound performs a deep copy operation on attacker-influenced data structures without adequate depth or size constraints, leading to uncontrolled memory consumption or memory corruption. An attacker can trigger this condition by sending a specially crafted DNS response containing deeply nested or malformed DNSSEC records to a vulnerable resolver. Successful exploitation may result in a crash of the Unbound process (denial of service) or, under conditions that have not yet been fully characterized publicly, remote code execution within the context of the resolver process.

Exploitation Status

No known exploit exists for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as no known exploit, meaning no public proof-of-concept or weaponized code has been confirmed. Given the critical CVSS score of 9.8 and the nature of the flaw, this assessment should be treated as subject to rapid change.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this CVE as of the date of this briefing.

What To Do

Operators running NLnet Labs Unbound versions 1.19.1 through 1.25.0 should prioritize patching immediately given the critical severity rating and the exposure of DNSSEC-validating resolvers to unauthenticated network input. Check the NLnet Labs security advisories and the official Unbound release page for a patched version and apply it as soon as it is available. If a patch cannot be applied immediately, consider disabling DNSSEC validation as a temporary workaround only if operationally acceptable, understanding this reduces DNS security posture. Network-level mitigations such as restricting recursive resolver access to trusted clients and monitoring for anomalous DNS response sizes or deeply nested record structures may reduce exposure. Monitor NLnet Labs communications and CISA KEV updates for any change in exploitation status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →