NLnet Labs reports:
This release consolidates security fixes for issues reported
over a period of time. There are fixes for:
- CVE-2026-33278: Possible remote code execution during
DNSSEC validation.
- CVE-2026-42944: Heap overflow and crash with multiple
nsid, cookie, padding EDNS options.
- CVE-2026-42959: Crash during DNSSEC validation of
malicious content.
- CVE-2026-32792: Packet of death with DNSCrypt.
- CVE-2026-40622: "Ghost domain name" variant.
- CVE-2026-41292: Parsing a long list of incoming EDNS
options degrades performance.
- CVE-2026-42534: Jostle logic bypass degrades resolution
performance.
- CVE-2026-42923: Degradation of service with unbounded
NSEC3 hash calculations.
- CVE-2026-42960: Possible cache poisoning attack while
following delegation.
- CVE-2026-44390: Unbounded name compression in certain
cases causes degradation of service.
- CVE-2026-44608: Use after free and crash in RPZ code.