Skip to main content

NLnet Labs Unbound CVE-2026-44390

| EUVDEUVD-2026-31088 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-05-20 sep@nlnetlabs.nl GHSA-6522-r5fq-99gw
6.9
CVSS 4.0 · Vendor: nlnetlabs
Share

Severity by source

Vendor (nlnetlabs) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (nlnetlabs).

CVSS VectorVendor: nlnetlabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:35 vuln.today

DescriptionCVE.org

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.

AnalysisAI

Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resources by querying for content from a specially crafted malicious DNS zone containing very large RRsets whose records share no suffix above the root. The name compression logic fails to increment its bounding counter in this edge-case code path, causing an unbounded CPU-locking loop until packet construction completes. This is a complement fix to CVE-2024-8508, which introduced a compression limit in 1.21.1 that did not cover this specific bypass scenario; no public exploit has been identified at time of analysis.

Technical ContextAI

Unbound is a validating, recursive, and caching DNS resolver developed by NLnet Labs. DNS name compression (RFC 1035 Section 4.1.4) is a standard mechanism that reduces packet size by replacing repeated domain name suffixes with pointers. Unbound's implementation builds a compression tree and walks it when constructing downstream replies. CVE-2024-8508 introduced a compression operation counter to bound this process in version 1.21.1, but the fix only incremented the counter when the compression tree lookup succeeded. When records in a large RRset share no common suffix above the root (e.g., all labels are unique), the lookup fails and a different code path is taken that bypasses the counter increment entirely. CWE-407 (Algorithmic Complexity) identifies the root cause: the algorithm's worst-case execution time is not properly bounded for this input class, allowing adversary-controlled DNS zone content to drive disproportionate CPU consumption. Affected CPE: cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:* through version 1.25.0.

RemediationAI

Upgrade to NLnet Labs Unbound 1.25.1, which contains a targeted patch that increments the name compression counter regardless of whether the compression tree lookup succeeds, closing the bypass path left open by the CVE-2024-8508 fix. The vendor advisory is at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44390.txt. If immediate upgrade is not possible, a compensating control is to restrict which upstream authoritative servers Unbound will query by configuring strict forward-zone or stub-zone policies, reducing exposure to malicious zone content from arbitrary sources - note this trade-off limits recursive resolution capability. Rate-limiting inbound query volumes at the network perimeter can reduce the window for a sustained DoS but does not eliminate the underlying vulnerability. Operators running Unbound in a split-horizon or internal-only configuration with controlled upstream paths face substantially lower risk.

CVE-2019-18934 HIGH POC
7.3 Nov 19

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiv

CVE-2026-33278 CRITICAL
9.1 May 20

Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attac

CVE-2026-42959 HIGH
8.7 May 20

Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an at

CVE-2026-42944 HIGH
8.7 May 20

Heap overflow denial-of-service in NLnet Labs Unbound recursive DNS resolver versions 1.14.0 through 1.25.0 allows remot

CVE-2022-3204 HIGH
7.5 Sep 26

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolv

CVE-2020-10772 HIGH
7.5 Nov 27

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020

CVE-2020-12663 HIGH
7.5 May 19

Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. Rated high severity

CVE-2020-12662 HIGH
7.5 May 19

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. Rated high severity

CVE-2019-16866 HIGH
7.5 Oct 03

Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIF

CVE-2024-1488 HIGH
7.3 Feb 15

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound grou

CVE-2026-42534 MEDIUM
6.9 May 20

Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker -

CVE-2026-41292 MEDIUM
6.6 May 20

Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny servi

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-44390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy