CVE-2026-33608
9.8
CRITICAL
CVSS 3.1
EPSS 0.00%
Description
An attacker can send a notify request that causes a new secondary domain to be added to the bind backend, but causes said backend to update its configuration to an invalid one, leading to the backend no longer able to run on the next restart, requiring manual operation to fix it.
How to fix CVE-2026-33608
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/pdns—no fix listed
Is CVE-2026-33608 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |