Description
NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
Published: 2026-05-20
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is part of the 'ghost domain names' family and enables an attacker who controls a zone and can query a vulnerable Unbound instance to overwrite an expired parent‑side referral NS record with the child‑side apex NS record. This overwrite extends the period during which the attacker‑controlled NS records remain valid by up to the configured cache‑max‑ttl value. The result is an extended window in which DNS resolvers will return rogue NS records, potentially leading to DNS spoofing or denial of service once the unwanted records are no longer intended to be authoritative.

Affected Systems

NLnet Labs Unbound versions from 1.16.2 through 1.25.0 are affected. Any deployment using a version in that range will be vulnerable, while Unbound 1.25.1 and later contain the fix that prevents TTL extension of parent NS records.

Risk and Exploitability

The CVSS score of 6.6 indicates a medium severity vulnerability, and the EPSS score of less than 1% suggests a very low public exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to own a zone and issue a query, unless the deployer is using the non‑default 'harden‑referral‑path: yes' configuration; in that case the server performs the query automatically, removing the need for an external trigger. Based on the description, it is inferred that environments with exposed zones and vulnerable Unbound installations are the most at risk.

Generated by OpenCVE AI on May 20, 2026 at 17:35 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later, which removes the ability to extend TTLs for parent NS records.
  • If upgrading is delayed, disable the 'harden‑referral‑path' option or set it to 'no' to prevent Unbound from performing automated queries that could trigger the vulnerability.
  • Reduce the value of 'cache‑max‑ttl' to the minimal acceptable TTL to limit the maximum window an attacker can extend the ghost domain period, thereby minimizing the potential impact.

Generated by OpenCVE AI on May 20, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-107

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-346
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-107

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
Title Another 'ghost domain names' attack variant
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:12:33.115Z

Reserved: 2026-05-07T10:07:51.817Z

Link: CVE-2026-40622

cve-icon Vulnrichment

Updated: 2026-05-20T12:12:21.123Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:26.850

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-40622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses