What is CVE-2026-33278?

CVE-2026-33278 is a critical-severity vulnerability in Nlnet Labs Unbound, classified under Use After Free. CVSS score: 9.8/10. Published 2026-05-20.

How severe is CVE-2026-33278?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Use After Free in Nlnet Labs Unbound

CVE-2026-33278

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwri…

Vulnerability class: Use-After-Free

EPSS: 0.003 (55.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Nlnet Labs Unbound — versions 1.19.1
Nlnetlabs Unbound

Weakness classification (CWE)

CWE-416 — Use After Free
CWE-672 — Operation on a Resource after Expiration or Release

References

sep@nlnetlabs.nl (vendor-advisory, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-33278?: CVE-2026-33278 is a critical-severity vulnerability in Nlnet Labs Unbound, classified under Use After Free. CVSS score: 9.8/10. Published 2026-05-20.
How severe is CVE-2026-33278?: Critical severity. CVSS v3 base score is 9.8 out of 10.