Description
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Published: 2026-05-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Unbound's DNSSEC validation logic, where deep copying of a response message incorrectly overwrites a destination pointer. This use-after-free flaw (CWE‑416) can lead to a crash or, in the worst case, allow an adversary to execute arbitrary code when a malicious signed zone triggers NSEC3 budget exhaustion.

Affected Systems

NLnet Labs Unbound versions from 1.19.1 through 1.25.0 are affected. All installations running any of these releases without the 1.25.1 patch are susceptible to the fault. The CVE entry does not list any other vendors or products.

Risk and Exploitability

With a CVSS score of 9.1, the flaw represents a critical risk. EPSS data is not provided, and the vulnerability is not currently listed in the CISA KEV catalog, which may suggest a lower exploitation rate at present. However, because the attack requires only a malicious zone presented to the resolver, the likelihood of exploitation remains significant for any network that trusts external DNS data. The primary attack vector inferred is a remote DNS query over the network to a configured Unbound instance.

Generated by OpenCVE AI on May 20, 2026 at 11:25 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later to receive the patch that preserves the correct pointer during deep copying.
  • Restart the Unbound service so that the new binary and memory layout replace any stale components.
  • Configure alerting or log monitoring to detect segmentation faults or abnormal termination events in Unbound, which could indicate an attempted exploitation.

Generated by OpenCVE AI on May 20, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6304-1 unbound security update
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Thu, 21 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 20 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs unbound
CPEs cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Vendors & Products Nlnetlabs
Nlnetlabs unbound
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Title Possible arbitrary code execution during DNSSEC validation
Weaknesses CWE-416
CWE-672
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Red'}

Subscriptions

Nlnetlabs Unbound
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:13:09.692Z

Reserved: 2026-05-07T10:07:51.853Z

Link: CVE-2026-33278

cve-icon Vulnrichment

Updated: 2026-05-20T12:13:06.187Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T10:16:26.530

Modified: 2026-05-20T22:49:23.313

Link: CVE-2026-33278

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-20T11:33:59Z

Links: CVE-2026-33278 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:15:06Z

Weaknesses