SB2026060535 - openEuler 24.03 LTS SP3 update for unbound
Published: June 5, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2026-32792)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to a heap-based buffer overflow in Unbound's DNSCrypt packet reading procedure when processing a crafted DNSCrypt query. A remote attacker can send a specially crafted DNSCrypt query to cause a denial of service.
Only installations compiled with DNSCrypt support are vulnerable. The crafted query's decrypted plaintext consists entirely of 0x00 bytes and lacks the expected 0x80 marker. A crash depends on the underlying memory allocator and memory layout.
2) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-40622)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to extend the ghost domain window.
The vulnerability exists due to improper handling of cached parent-side referral NS records in Unbound when processing NS queries for a ghost zone. A remote attacker can control a ghost zone and trigger replacement of an expired parent-side referral NS rrset with the child-side apex NS rrset to extend the ghost domain window.
In configurations with 'harden-referral-path: yes', no client NS query is required because the resolver performs that query implicitly.
3) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-42534)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in Unbound jostle logic when processing duplicate queries while resolving queries through a slow or malicious authoritative name server. A remote user can send repeated queries for names served by a controlled slow-responding domain name server to cause a denial of service.
Cache and local data response performance remains unaffected. Exploitation requires the resolver to reach its configured query-per-thread limit, and coordinated attacks can degrade resolution into denial of resolution service.
4) Resource exhaustion (CVE-ID: CVE-2026-42923)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper resource management in Unbound's DNSSEC validator negative cache handling for DS records when processing DNSSEC-signed zones with NSEC3 records using high iteration counts for child delegations. A remote attacker can control a DNSSEC-signed zone and query a vulnerable Unbound resolver to cause a denial of service.
A global lock for the negative cache may be held for the duration of the hashing, blocking other threads that need to consult the negative cache.
5) Resource exhaustion (CVE-ID: CVE-2026-44390)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in name compression handling for downstream replies when processing malicious upstream responses with very large RRsets whose records do not share a suffix above the root. A remote attacker can query Unbound for specially crafted contents of a malicious zone to cause a denial of service.
The issue can lock the CPU while the reply packet is being completed, leading to degraded performance before service disruption.
6) Use-after-free (CVE-ID: CVE-2026-44608)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to use-after-free in RPZ zone handling when processing an RPZ XFR reload concurrently with reads of an RPZ zone using 'rpz-nsip' or 'rpz-nsdname' triggers. A remote attacker can trigger a crafted zone transfer timing condition to cause a denial of service.
Only multi-threaded deployments are affected, and local RPZ files do not trigger the vulnerability.
7) Resource exhaustion (CVE-ID: CVE-2024-8508)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling replies with very large RRsets. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.