CVE-2026-33811
published 2026-05-07CVE-2026-33811: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.81%
52.4th percentile
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
Affected
113 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | 3scale-rhel7-operator | — | — |
| 3scale-amp2 | 3scale-rhel9-operator | — | — |
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | receptor-rhel9 | — | — |
| ansible-automation-platform | platform-operator-bundle | — | — |
| apicurio | apicurio-registry-rhel8-operator | — | — |
| apicurio | apicurio-registry-rhel9-operator | — | — |
| build-of-trustee | trustee-rhel9-operator | — | — |
| buildah_project | buildah | — | — |
| cert-manager | jetstack-cert-manager-rhel9 | — | — |
| compliance | openshift-compliance-operator-bundle | — | — |
| compliance | openshift-selinuxd-rhel8 | — | — |
| confidential-compute-attestation-tech-preview | trustee-rhel9-operator | — | — |
| confidential-containers | trustee | — | — |
| container-native-virtualization | kubevirt-apiserver-proxy-rhel9 | — | — |
| container-native-virtualization | virt-api-rhel9 | — | — |
| container-tools_rhel8 | conmon | — | — |
| container-tools_rhel8 | containernetworking-plugins | — | — |
| container-tools_rhel8 | oci-seccomp-bpf-hook | — | — |
| container-tools_rhel8 | runc | — | — |
| container-tools_rhel8 | skopeo | — | — |
| container-tools_rhel8 | toolbox | — | — |
| cryostat | cryostat-storage-rhel9 | — | — |
| custom-metrics-autoscaler | custom-metrics-autoscaler-rhel9 | — | — |
| debian | qpid-proton | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
vendor_redhat·2026-05-07·CVSS 7.5
CVE-2026-33811 [HIGH] CWE-1341 net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
A flaw was found in the `net` package of Go (golang), specifically when using the `LookupCNAME` function with the `cgo` DNS resolver. A remote attacker could exploit this by providing a very long Canonical Name (CNAME) response. This can trigger a double-free of C memory, leading to a crash and a Denial of Service (DoS) for the affected application.
Package: rhai/assisted-installer-rhel9 (Assisted Installer for Red Hat OpenShift Container Platform 2) - Under investigation
Package: openshift-builds/openshift-builds-waiters-rhel9 (Builds for Red Hat OpenShift) - Under investigation
Package: cert-manager/jetstack-cert-manager-rhel9 (cert-manager Operator for Red Hat OpenShift) - Under investigation
Pack
GHSA
GHSA-497x-jcxf-m478: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash
ghsa_unreviewed·2026-05-07
CVE-2026-33811 [HIGH] GHSA-497x-jcxf-m478: When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
VulDB
net up to 1.25.9/1.26.2 on Go cgo DNS Resolver LookupCNAME double free
vuldb·2026-05-07
CVE-2026-33811 [LOW] net up to 1.25.9/1.26.2 on Go cgo DNS Resolver LookupCNAME double free
A vulnerability identified as problematic has been detected in net up to 1.25.9/1.26.2 on Go. The impacted element is the function LookupCNAME of the component cgo DNS Resolver. This manipulation causes double free.
This vulnerability is handled as CVE-2026-33811. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-33811 net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
bugzilla·2026-05-07·CVSS 7.5
CVE-2026-33811 [HIGH] CVE-2026-33811 net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
CVE-2026-33811 net: golang: Go net package: Denial of Service via long CNAME response in LookupCNAME
When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.
https://go.dev/cl/767860https://go.dev/issue/78803https://groups.google.com/g/golang-announce/c/qcCIEXso47Mhttps://pkg.go.dev/vuln/GO-2026-4981https://access.redhat.com/errata/RHSA-2026:23262https://access.redhat.com/errata/RHSA-2026:23264https://access.redhat.com/errata/RHSA-2026:33120https://access.redhat.com/errata/RHSA-2026:33123https://access.redhat.com/errata/RHSA-2026:33142https://access.redhat.com/errata/RHSA-2026:33150https://access.redhat.com/security/cve/CVE-2026-33811https://bugzilla.redhat.com/show_bug.cgi?id=2467822https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33811.json
2026-05-07
Published