CVE-2026-33278
EUVD-2026-3107520.05.2026, 10:16
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| nlnetlabs | unbound | 1.19.1 ≤ 𝑥 < 1.25.1 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libunbound8 |
| ||||||||||||||||
| unbound-anchor |
| ||||||||||||||||
| unbound-devel |
|
Red Hat Enterprise Linux Releases
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| python2-unbound |
| ||||
| python3-unbound |
| ||||
| python3-unbound-debuginfo |
| ||||
| unbound |
| ||||
| unbound-anchor |
| ||||
| unbound-anchor-debuginfo |
| ||||
| unbound-debuginfo |
| ||||
| unbound-debugsource |
| ||||
| unbound-devel |
| ||||
| unbound-libs |
| ||||
| unbound-libs-debuginfo |
| ||||
| unbound-utils |
| ||||
| unbound-utils-debuginfo |
|
Common Weakness Enumeration
References