SB2026052056 - Multiple vulnerabilities in Unbound
Published: May 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2026-44608)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in RPZ zone handling when processing an RPZ XFR reload concurrently with reads of an RPZ zone using 'rpz-nsip' or 'rpz-nsdname' triggers. A remote attacker can trigger a crafted zone transfer timing condition to cause a denial of service.
Only multi-threaded deployments are affected, and local RPZ files do not trigger the vulnerability.
2) Use-after-free (CVE-ID: CVE-2026-33278)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service and potentially execute arbitrary code.
The vulnerability exists due to use-after-free in Unbound DNSSEC validator when processing validation state for DS sub-queries after deep-copying response messages during NSEC3 computational budget exhaustion. A remote attacker can control a malicious signed zone and query a vulnerable resolver to cause a denial of service and potentially execute arbitrary code.
Exploitation requires control of a malicious signed zone.
3) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-40622)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to extend the ghost domain window.
The vulnerability exists due to improper handling of cached parent-side referral NS records in Unbound when processing NS queries for a ghost zone. A remote attacker can control a ghost zone and trigger replacement of an expired parent-side referral NS rrset with the child-side apex NS rrset to extend the ghost domain window.
In configurations with 'harden-referral-path: yes', no client NS query is required because the resolver performs that query implicitly.
4) Resource exhaustion (CVE-ID: CVE-2026-41292)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in EDNS option parsing when handling queries with long lists of EDNS options. A remote attacker can send specially crafted queries with too many EDNS options to cause a denial of service.
Coordinated attacks can degrade service by tying up Unbound threads while internal data structures for the options are being created.
5) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-42534)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in Unbound jostle logic when processing duplicate queries while resolving queries through a slow or malicious authoritative name server. A remote user can send repeated queries for names served by a controlled slow-responding domain name server to cause a denial of service.
Cache and local data response performance remains unaffected. Exploitation requires the resolver to reach its configured query-per-thread limit, and coordinated attacks can degrade resolution into denial of resolution service.
6) Resource exhaustion (CVE-ID: CVE-2026-42923)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in Unbound's DNSSEC validator negative cache handling for DS records when processing DNSSEC-signed zones with NSEC3 records using high iteration counts for child delegations. A remote attacker can control a DNSSEC-signed zone and query a vulnerable Unbound resolver to cause a denial of service.
A global lock for the negative cache may be held for the duration of the hashing, blocking other threads that need to consult the negative cache.
7) Heap-based buffer overflow (CVE-ID: CVE-2026-42944)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in the EDNS option encoder when processing queries containing multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options. A remote attacker can send a specially crafted query to cause a denial of service.
Only instances with the relevant EDNS options enabled are vulnerable.
8) Access of Uninitialized Pointer (CVE-ID: CVE-2026-42959)
CWE-ID: CWE-824 - Access of Uninitialized Pointer
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use of an uninitialized pointer in the DNSSEC validator when constructing chase-reply messages for validation. A remote attacker can provide a malicious upstream reply to cause a denial of service.
Exploitation requires control of a DNSSEC-signed domain and can be triggered with a single query using a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records.
9) Insufficient verification of data authenticity (CVE-ID: CVE-2026-42960)
CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to poison Unbound's DNS cache.
The vulnerability exists due to improper cache validation in processing authority and additional section RRSets when handling spoofed DNS replies or fragmented responses. A remote attacker can inject non-NS RRSets accompanied by related address records to poison Unbound's DNS cache.
Exploitation requires the ability to attach malicious records to a reply, such as through packet spoofing or fragmentation attacks.
10) Resource exhaustion (CVE-ID: CVE-2026-44390)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in name compression handling for downstream replies when processing malicious upstream responses with very large RRsets whose records do not share a suffix above the root. A remote attacker can query Unbound for specially crafted contents of a malicious zone to cause a denial of service.
The issue can lock the CPU while the reply packet is being completed, leading to degraded performance before service disruption.
Remediation
Install update from vendor's website.
References
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt
- https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt
- https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42534.diff
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txt
- https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt
- https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42960.diff
- https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt