Description
NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
Published: 2026-05-20
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is part of the 'ghost domain names' family and enables an attacker who controls a zone and can query a vulnerable Unbound instance to overwrite an expired parent‑side referral NS record with the child‑side apex NS record. This overwrite extends the period during which the attacker‑controlled NS records remain valid by up to the configured cache‑max‑ttl value. The result is an extended window in which DNS resolvers will return rogue NS records, potentially leading to DNS spoofing or denial of service once the unwanted records are no longer intended to be authoritative.

Affected Systems

NLnet Labs Unbound versions from 1.16.2 through 1.25.0 are affected. Any deployment using a version in that range will be vulnerable, while Unbound 1.25.1 and later contain the fix that prevents TTL extension of parent NS records.

Risk and Exploitability

The CVSS score of 6.6 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests a very low public exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to own a zone and issue a query, unless the deployer is using the non‑default 'harden‑referral‑path: yes' configuration; in that case the server performs the query automatically, removing the need for an external trigger. Based on the description, it is inferred that environments with exposed zones and vulnerable Unbound installations are the most at risk.

Generated by OpenCVE AI on May 20, 2026 at 17:35 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later, which removes the ability to extend TTLs for parent NS records.
  • If upgrading is delayed, disable the 'harden‑referral‑path' option or set it to 'no' to prevent Unbound from performing automated queries that could trigger the vulnerability.
  • Reduce the value of 'cache‑max‑ttl' to the minimal acceptable TTL to limit the maximum window an attacker can extend the ghost domain period, thereby minimizing the potential impact.

Generated by OpenCVE AI on May 20, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6304-1 unbound security update
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Tue, 26 May 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Thu, 21 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs unbound
Vendors & Products Nlnetlabs
Nlnetlabs unbound

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-107

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-107

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
Title Another 'ghost domain names' attack variant
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber'}

Subscriptions

Nlnetlabs Unbound
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:12:33.115Z

Reserved: 2026-05-07T10:07:51.817Z

Link: CVE-2026-40622

cve-icon Vulnrichment

Updated: 2026-05-20T12:12:21.123Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T10:16:26.850

Modified: 2026-05-26T18:28:04.073

Link: CVE-2026-40622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:15:06Z

Weaknesses