Is CVE-2026-33278 in the CISA KEV catalog?

No. CVE-2026-33278 is not currently on the CISA Known Exploited Vulnerabilities list.

What is the CVSS severity of CVE-2026-33278?

CVE-2026-33278 has a CVSS v3 base score of 9.8 (Critical).

What is the EPSS score for CVE-2026-33278?

CVE-2026-33278 has an EPSS score of 0.89% (55th percentile), estimating the probability of exploitation in the next 30 days.

CVE & CISA-KEV Catalog

CVE-2026-33278

CRITICAL

9.8

CVSS v3

NVD

Description

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.

CWE-416Use After Free CWE-672

CVSS v3 Vector

Exploitability

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

ScopeUnchanged

Impact

ConfidentialityHigh

IntegrityHigh

AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

0.89%probability of exploitation in 30 days

55thpercentile

Moderate risk: more likely to be exploited than 55% of all known CVEs.

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-05-20.