Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
Published: 2026-05-20
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a locking inconsistency in how Unbound handles RPZ zone transfers. When a multi‑threaded instance performs an RPZ XFR while another thread reads that zone, the reader may acquire a lock that does not fully protect the data, and the thread applying the XFR may free objects that the reader is about to walk. This use‑after‑free (CWE‑413) can lead to a segmentation fault and crash of the Unbound process. The race condition itself is a classic data‑race weakness (CWE‑367), requiring precise timing between concurrent operations. While the crash only disrupts the local Unbound instance, it would result in a denial of service for any systems relying on name resolution provided by that instance.

Affected Systems

NLnet Labs Unbound versions 1.14.0 through 1.25.0 are affected. The vulnerability is triggered only when the service is run in a multi‑threaded configuration, an RPZ zone uses the rpz‑nsip or rpz‑nsdname triggers, and an RPZ zone transfer is in progress. Local RPZ files without these triggers do not trigger the flaw.

Risk and Exploitability

The CVSS score of 4.6 indicates low to medium risk. The EPSS score of less than 1% further suggests a small likelihood of exploitation. Inferred that the attacker must be able to influence RPZ configuration or force zone transfers while the server is servicing RPZ queries; the likely attack vector is a local or privileged attacker with such capabilities. The vulnerability is not listed in CISA’s KEV catalog. Consequently, the threat is primarily a low‑to‑medium risk of a local denial of service, but the consequences of a crash affect network‑resolved services used by the trusted network.

Generated by OpenCVE AI on May 21, 2026 at 15:24 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or newer to apply the locking fix.
  • Avoid using rpz‑nsip or rpz‑nsdname triggers in RPZ zones unless necessary, and remove them if possible.
  • During periods of high load or when RPZ zones are being updated, temporarily suspend zone transfers to eliminate concurrent read/write activity on the same zone data.

Generated by OpenCVE AI on May 21, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6304-1 unbound security update
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-367
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs unbound
CPEs cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Vendors & Products Nlnetlabs
Nlnetlabs unbound
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
Title Use after free and crash under special conditions in RPZ code
Weaknesses CWE-413
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber'}

Subscriptions

Nlnetlabs Unbound
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:54:04.538Z

Reserved: 2026-05-07T10:07:51.822Z

Link: CVE-2026-44608

cve-icon Vulnrichment

Updated: 2026-05-20T12:52:54.650Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T10:16:28.313

Modified: 2026-05-20T22:52:48.303

Link: CVE-2026-44608

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-20T09:21:57Z

Links: CVE-2026-44608 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T15:30:13Z

Weaknesses