Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
Published: 2026-05-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound DNS servers up to version 1.25.0 perform name compression on outgoing replies. When an upstream response contains very large RRsets that do not share any suffix above the root, the compression algorithm can enter an unbounded loop because the compression counter is never incremented for those records. As a result the server spends a disproportionate amount of time applying compression, which can exhaust CPU resources and degrade performance, eventually leading to denial of service. This weakness is an unbounded operation (CWE‑407).

Affected Systems

NLnet Labs Unbound, versions 1.25.0 and earlier. The fix was introduced in 1.25.1, so any instance running 1.25.1 or newer is no longer affected.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability is considered moderate to high severity. EPSS is not available, and the vulnerability has not been reported in the CISA KEV catalog, so current exploit evidence is limited. Nevertheless, the exploit path requires an attacker to send a DNS query containing a malicious zone with very large RRsets to the target Unbound server. The response handling is performed internally before any reply is returned, so the attack can be launched from the public internet or through a compromised upstream provider. The lack of a published exploit and the absence of a high EPSS score suggest that the risk of exploitation is moderate, but the potential for a denial‑of‑service impact makes it important to remediate promptly.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later to apply the patch that always increments the compression counter.
  • If an upgrade cannot be performed immediately, restrict DNS traffic to the Unbound service by firewalls, block or limit large recursive queries, and consider disabling recursion or using rate limiting for DNS clients.
  • Monitor system metrics for unusually high CPU usage or query latency, and apply the upgrade as soon as possible.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
Title Unbounded name compression in certain cases causes degradation of service
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:56:32.276Z

Reserved: 2026-05-07T10:07:51.828Z

Link: CVE-2026-44390

cve-icon Vulnrichment

Updated: 2026-05-20T12:56:24.222Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:28.183

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-44390

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses