Description
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Published: 2026-05-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Unbound's DNSSEC validation logic, where deep copying of a response message incorrectly overwrites a destination pointer. This use-after-free flaw (CWE‑416) can lead to a crash or, in the worst case, allow an adversary to execute arbitrary code when a malicious signed zone triggers NSEC3 budget exhaustion.

Affected Systems

NLnet Labs Unbound versions from 1.19.1 through 1.25.0 are affected. All installations running any of these releases without the 1.25.1 patch are susceptible to the fault. The CVE entry does not list any other vendors or products.

Risk and Exploitability

With a CVSS score of 9.1, the flaw represents a critical risk. EPSS data is not provided, and the vulnerability is not currently listed in the CISA KEV catalog, which may suggest a lower exploitation rate at present. However, because the attack requires only a malicious zone presented to the resolver, the likelihood of exploitation remains significant for any network that trusts external DNS data. The primary attack vector inferred is a remote DNS query over the network to a configured Unbound instance.

Generated by OpenCVE AI on May 20, 2026 at 11:25 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later to receive the patch that preserves the correct pointer during deep copying.
  • Restart the Unbound service so that the new binary and memory layout replace any stale components.
  • Configure alerting or log monitoring to detect segmentation faults or abnormal termination events in Unbound, which could indicate an attempted exploitation.

Generated by OpenCVE AI on May 20, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Title Possible arbitrary code execution during DNSSEC validation
Weaknesses CWE-416
CWE-672
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:13:09.692Z

Reserved: 2026-05-07T10:07:51.853Z

Link: CVE-2026-33278

cve-icon Vulnrichment

Updated: 2026-05-20T12:13:06.187Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:26.530

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-33278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses