| Name | CVE-2026-33611 |
| Description | An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-6233-1 |
| Debian Bugs | 1135373 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| pdns (PTS) | bullseye | 4.4.1-1 | vulnerable |
| bookworm | 4.7.3-2 | vulnerable |
| trixie | 4.9.7-1 | vulnerable |
| trixie (security) | 4.9.14-0+deb13u1 | fixed |
| forky, sid | 5.0.3-1 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| pdns | source | bullseye | (unfixed) | end-of-life | | |
| pdns | source | bookworm | (unfixed) | end-of-life | | |
| pdns | source | trixie | 4.9.14-0+deb13u1 | | DSA-6233-1 | |
| pdns | source | (unstable) | (unfixed) | | | 1135373 |
Notes
[bookworm] - pdns <end-of-life> (See #1119290)
[bullseye] - pdns <end-of-life> (see DLA 4471)
https://docs.powerdns.com/authoritative/security-advisories/powerdns-advisory-2026-05.html#insufficient-validation-of-https-and-svcb-records