CVE-2026-44608

EUVD-2026-31087

20.05.2026, 10:16

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

unbound

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	vulnerable
sid	vulnerable
trixie	vulnerable
trixie (security)	vulnerable

Common Weakness Enumeration

CWE-413 - Improper Resource Locking
The software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.

Vulnerability Media Exposure

[GERMAN] Unbound: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff
Ein Angreifer kann mehrere Schwachstellen in Unbound ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen.
Published: 2026-05-19T22:00:00+00:00

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt