SB2026070834 - Red Hat Enterprise Linux 9 update for unbound
Published: July 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2026-41292)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in EDNS option parsing when handling queries with long lists of EDNS options. A remote attacker can send specially crafted queries with too many EDNS options to cause a denial of service.
Coordinated attacks can degrade service by tying up Unbound threads while internal data structures for the options are being created.
2) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-40622)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to extend the ghost domain window.
The vulnerability exists due to improper handling of cached parent-side referral NS records in Unbound when processing NS queries for a ghost zone. A remote attacker can control a ghost zone and trigger replacement of an expired parent-side referral NS rrset with the child-side apex NS rrset to extend the ghost domain window.
In configurations with 'harden-referral-path: yes', no client NS query is required because the resolver performs that query implicitly.
3) Resource exhaustion (CVE-ID: CVE-2026-44390)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in name compression handling for downstream replies when processing malicious upstream responses with very large RRsets whose records do not share a suffix above the root. A remote attacker can query Unbound for specially crafted contents of a malicious zone to cause a denial of service.
The issue can lock the CPU while the reply packet is being completed, leading to degraded performance before service disruption.
4) Improper control of a resource through its lifetime (CVE-ID: CVE-2026-42534)
CWE-ID: CWE-664 - Improper control of a resource through its lifetime
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper state management in Unbound jostle logic when processing duplicate queries while resolving queries through a slow or malicious authoritative name server. A remote user can send repeated queries for names served by a controlled slow-responding domain name server to cause a denial of service.
Cache and local data response performance remains unaffected. Exploitation requires the resolver to reach its configured query-per-thread limit, and coordinated attacks can degrade resolution into denial of resolution service.
Remediation
Install update from vendor's website.