CVE-2026-44608 - Vulnerability Details

- Use after free and crash under special conditions in RPZ code

Description

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

Published: 2026-05-20

Score: 4.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability causes a locking inconsistency in Unbound's RPZ handling, potentially resulting in a heap use‑after‑free and crash when a zone transfer and a read operation happen concurrently. The flaw can lead to denial of service for the trusted network in which Unbound operates.

Affected Systems

The issue affects Unbound versions from 1.14.0 through 1.25.0 produced by NLnet Labs. The problem arises when the service is multi‑threaded and an RPZ zone using rpz‑nsip or rpz‑nsdname triggers is being transferred.

Risk and Exploitability

The CVSS score is 4.6, indicating a low to medium severity. EPSS is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because an attacker would need to satisfy precise timing conditions involving a concurrent zone transfer and RPZ read, the likelihood of exploitation is low. Nevertheless, the crash can interrupt service and affect availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NLnet Labs

Unbound

unaffected

Version	Status	Constraints
`1.14.0`	affected	< 1.25.1

No data.

No data available yet.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

Upgrade Unbound to version 1.25.1 or newer to apply the locking fix.
Remove or disable rpz‑nsip and rpz‑nsdname triggers in RPZ zones unless they are required for policy.
Temporarily suspend RPZ zone transfers during periods of high load or when RPZ zones are updated to prevent concurrent read/write access to the same zone data.

Generated by OpenCVE AI on May 20, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-8282-1	Unbound vulnerabilities

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt

History

Wed, 20 May 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 20 May 2026 10:00:00 +0000

Type	Values Removed	Values Added
Description		NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
Title		Use after free and crash under special conditions in RPZ code
Weaknesses		CWE-413
References		https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt
Metrics		cvssV4_0 `{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published: 2026-05-20T09:21:57.360Z

Updated: 2026-05-20T12:54:04.538Z

Reserved: 2026-05-07T10:07:51.822Z

Link: CVE-2026-44608

Vulnrichment

Updated: 2026-05-20T12:52:54.650Z

NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:28.313

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-44608

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses

CWE-413

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object