The report says:
CVSS 3.1: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CWE: CWE-125 (Out-of-bounds Read), CWE-20 (Improper Input Validation)
Auth: None (malicious DNS server on network path)
Version: 2.5.20, master commit d3822099fdd4 (2026-06-19)
Build: HAVE_SYSTEM_RESOLVER (standard on most Linux distributions)File: dirmngr/dns-stuff.c, get_dns_cert_standard(), lines 1607-1784