These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-10846 is a HIGH-severity vulnerability in NLnet Labs ldns, a DNS library used for DNS resolution. Versions 1.2.0 through 1.9.0 are affected when used as a (stub) resolver over UDP. The vulnerability allows for off-path poisoning attacks due to a lack of matching between query and response source addresses, ports, query IDs, and questions.
CVE-2026-49234 is a HIGH severity vulnerability in Routinator that causes a crash when a specifically crafted non-UTF-8 string is sent as a select-asn query parameter to the /api/v1/origins endpoint. This issue only affects users who allow API access from untrusted networks. The vulnerability was published on [cvePublishedAt] and modified on [cveModifiedAt].
CVE-2026-49232 is a high-severity vulnerability in Routinator, a software used for RPKI-based BGP route validation. The vulnerability has a CVSS score of 8.7 and can cause a denial of service (DoS) condition when accepting incoming HTTP or RTR connections. An attacker can trigger this condition by opening a large number of connections to the HTTP or RTR server, causing the software to exit on any error, i [truncated]
CVE-2026-44608 describes a locking inconsistency in NLnet Labs Unbound that can lead to a heap use-after-free and eventual crash when specific conditions line up: the resolver is multi-threaded, an RPZ zone uses rpz-nsip or rpz-nsdname triggers, and an XFR reload of that RPZ zone is happening at the same time another thread reads the zone. The issue does not apply to local RPZ files. NLnet Labs states tha [truncated]
CVE-2026-44390 is a denial-of-service issue in NLnet Labs Unbound. According to the vendor advisory and NVD, Unbound up to and including 1.25.0 can spend a considerable amount of CPU time applying name compression to replies containing very large RRsets, especially when the records do not share a suffix above the root. In well-orchestrated attacks, this can degrade performance and eventually lead to servi [truncated]
CVE-2026-42959 is a high-severity denial-of-service issue in NLnet Labs Unbound’s DNSSEC validator. A crafted upstream response can trigger an immediate crash in versions up to and including 1.25.0; Unbound 1.25.1 contains the fix.
CVE-2026-42944 is a network-exploitable heap overflow in NLnet Labs Unbound affecting versions 1.14.0 through 1.25.0. The issue can be triggered by a client that can query Unbound and supplies multiple NSID, DNS Cookie, and/or EDNS Padding options, but only when the relevant EDNS features are enabled. NLnet Labs states Unbound 1.25.1 contains the fix.
NLnet Labs Unbound versions 1.19.1 through 1.25.0 contain a DNSSEC validator issue where the negative-cache path for DS records does not apply the NSEC3 hash-calculation limit introduced in 1.19.1. According to the vendor and NVD, this can cause excessive hashing work and hold a global negative-cache lock long enough to block other threads, creating a denial-of-service condition under coordinated attack. [truncated]
CVE-2026-42534 is a network-reachable availability issue in NLnet Labs Unbound up to and including 1.25.0. According to the published CVE description and NVD metadata, duplicate retransmits of the same query can refresh the apparent age of slow queries, which can interfere with Unbound’s jostle logic when the per-thread query limit is reached. The result is degraded resolution performance, and coordinated [truncated]
CVE-2026-41292 affects NLnet Labs Unbound up to and including 1.25.0. A remote attacker can send queries with excessive EDNS options to keep Unbound threads busy while the resolver parses the options and builds internal data structures, which can degrade service or cause denial of service. Unbound 1.25.1 includes a fix that limits acceptable incoming EDNS options to 100.
CVE-2026-40622 describes a DNS resolver integrity issue in NLnet Labs Unbound affecting versions 1.16.2 through 1.25.0. In the described ghost-domain attack family, a remote adversary who controls a ghost zone and can query a vulnerable resolver may cause an expired parent-side referral NS RRset in cache to be replaced with a child-side apex NS RRset, extending the ghost-domain window by up to one configu [truncated]
CVE-2026-32792 affects NLnet Labs Unbound versions 1.6.2 through 1.25.0 when compiled with DNSCrypt support (--enable-dnscrypt). According to the vendor and NVD, a single malformed DNSCrypt query whose decrypted plaintext is all 0x00 bytes and lacks the expected 0x80 marker can underflow the packet-reading logic, potentially causing a heap overflow and a crash. NLnet Labs states that version 1.25.1 fixes [truncated]