Skip to main content

Unbound DNS CVE-2026-40622

| EUVDEUVD-2026-31080 MEDIUM
Origin Validation Error (CWE-346)
2026-05-20 sep@nlnetlabs.nl GHSA-m3vq-fgh9-hq65
6.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:33 vuln.today

DescriptionCVE.org

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.

AnalysisAI

Ghost domain name extension in NLnet Labs Unbound 1.16.2 through 1.25.0 allows an adversary controlling an expired ghost zone to artificially prolong its resolvability by causing Unbound to overwrite the cached parent-side referral NS rrset with the child-side apex NS rrset, extending the ghost domain window by up to one full cache-max-ttl interval. The attack requires the adversary to control the target ghost zone and issue a single NS query to a vulnerable resolver; in non-default configurations using 'harden-referral-path: yes', no external query is needed as Unbound performs the triggering lookup internally. No public exploit identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 Exploit Maturity is rated 'Unreported', though the integrity impact on DNS resolution is high (VI:H) and represents a meaningful trust boundary violation.

Technical ContextAI

Unbound is a widely deployed validating, recursive, and caching DNS resolver maintained by NLnet Labs, commonly used in ISP, enterprise, and open-resolver environments. This vulnerability belongs to the 'ghost domain names' family of DNS cache manipulation attacks, wherein an adversary causes a caching resolver to continue serving records for a domain whose parent delegation has expired. The specific root cause is that Unbound incorrectly permits a child-side apex NS rrset - received in response to an NS query - to overwrite the cached parent-side referral NS rrset even when the parent record has already expired. Since the child-side answer resets the cache TTL up to the configured 'cache-max-ttl' ceiling, the expired delegation effectively receives a TTL extension and the domain remains resolvable beyond its legitimate lifetime. In the non-default hardening mode 'harden-referral-path: yes', Unbound proactively validates referral paths by issuing NS queries itself, meaning the triggering lookup occurs without any external client involvement. No CWE is formally assigned, but this aligns conceptually with CWE-346 (Origin Validation Error) and CWE-706 (Use of Incorrectly-Resolved Name or Reference) in the context of DNS trust hierarchies.

RemediationAI

Upgrade to Unbound 1.25.1, which contains a patch that prevents TTL extension of parent NS records regardless of trust level, as confirmed by the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt. If immediate upgrade is not feasible, lowering the 'cache-max-ttl' configuration value reduces the maximum ghost domain extension window - the trade-off is reduced cache efficiency and increased upstream query load. For resolvers where 'harden-referral-path: yes' is already configured, reverting this setting to the default (disabled) restores the requirement for an external client NS query as a trigger, marginally reducing the attack surface by removing the passive exploitation path; however, this weakens referral path validation and should only be considered as a temporary compensating measure. Restricting resolver query access via firewall rules to trusted internal clients limits an external adversary's ability to send the triggering NS query, though it does not eliminate the vulnerability and does not help in 'harden-referral-path: yes' deployments. Organizations should treat all three workarounds as temporary mitigations pending the upgrade to 1.25.1.

CVE-2019-18934 HIGH POC
7.3 Nov 19

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiv

CVE-2026-33278 CRITICAL
9.1 May 20

Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attac

CVE-2026-42959 HIGH
8.7 May 20

Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an at

CVE-2026-42944 HIGH
8.7 May 20

Heap overflow denial-of-service in NLnet Labs Unbound recursive DNS resolver versions 1.14.0 through 1.25.0 allows remot

CVE-2022-3204 HIGH
7.5 Sep 26

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolv

CVE-2020-10772 HIGH
7.5 Nov 27

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020

CVE-2020-12663 HIGH
7.5 May 19

Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. Rated high severity

CVE-2020-12662 HIGH
7.5 May 19

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. Rated high severity

CVE-2019-16866 HIGH
7.5 Oct 03

Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIF

CVE-2024-1488 HIGH
7.3 Feb 15

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound grou

CVE-2026-42534 MEDIUM
6.9 May 20

Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker -

CVE-2026-44390 MEDIUM
6.9 May 20

Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resour

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-40622 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy