Skip to content

rec: Prevent null-pointer dereference in aggressive NSEC cache#17201

Merged
omoerbeek merged 1 commit intoPowerDNS:masterfrom
omoerbeek:ywh-135
Apr 23, 2026
Merged

rec: Prevent null-pointer dereference in aggressive NSEC cache#17201
omoerbeek merged 1 commit intoPowerDNS:masterfrom
omoerbeek:ywh-135

Conversation

@omoerbeek
Copy link
Copy Markdown
Member

@omoerbeek omoerbeek commented Apr 22, 2026

This might happen if the zone is transitioning from NSEC to NSEC3 just in the middle of the getDenial processing.

Reported in #YWH-PGM6095-135.
CVE-2026-33261

Short description

Checklist

I have:

  • read the CONTRIBUTING.md document
  • read and accepted the Developer Certificate of Origin document, including the AI Policy, and added a "Signed-off-by" to my commits
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master

@rgacogne
rec: Prevent null-pointer dereference in aggressive NSEC cache
7491434 
This might happen if the zone is transitioning from NSEC to
NSEC3 just in the middle of the `getDenial` processing.

Reported in #YWH-PGM6095-135.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
@omoerbeek omoerbeek added the rec label Apr 22, 2026
@omoerbeek omoerbeek merged commit 80c2397 into PowerDNS:master Apr 23, 2026
91 checks passed
@omoerbeek omoerbeek deleted the ywh-135 branch April 23, 2026 06:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgacogne rgacogne rgacogne approved these changes

@miodvallat miodvallat miodvallat approved these changes

Assignees

No one assigned

Labels

rec

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@omoerbeek @rgacogne @miodvallat