Skip to main content

NLnet Labs Unbound CVE-2026-44608

| EUVDEUVD-2026-31087 MEDIUM
Improper Resource Locking (CWE-413)
2026-05-20 sep@nlnetlabs.nl GHSA-fx8q-9cm5-75v9
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
SUSE
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:35 vuln.today

DescriptionCVE.org

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

AnalysisAI

Heap use-after-free in Unbound's RPZ (Response Policy Zone) subsystem crashes the DNS resolver under a specific race condition affecting multi-threaded deployments. Versions 1.14.0 through 1.25.0 are affected when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers is served via XFR (zone transfer) and a simultaneous read occurs in another thread. The crash is remotely triggerable by timing a DNS query against an in-progress XFR, but requires multiple co-occurring non-default conditions; no public exploit exists and no active exploitation has been confirmed.

Technical ContextAI

Unbound is a validating, recursive DNS resolver by NLnet Labs. The vulnerability is rooted in CWE-413 (Improper Resource Locking) within the RPZ (Response Policy Zone) implementation. RPZ zones can be loaded via local files or remote zone transfers (XFR). The 'rpz-nsip' and 'rpz-nsdname' trigger types cause Unbound to walk NS record IP addresses and names during policy evaluation. In multi-threaded mode, one thread applies incoming XFR data to the in-memory zone structure while other threads concurrently read from it. The flaw is that the reading thread releases its lock on the RPZ zone data prematurely, before completing its traversal of the zone's object graph. This creates a window where the XFR-applying thread - which has now acquired the lock - can free objects that the reader thread is still accessing, resulting in a classic heap use-after-free condition. The CPE implied by the description covers NLnet Labs Unbound versions 1.14.0 through 1.25.0 on all supported platforms.

RemediationAI

Upgrade to Unbound 1.25.1, which contains a vendor-released patch fixing the locking logic in the RPZ XFR code path, as confirmed by NLnet Labs at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt. If immediate upgrade is not possible, the following compensating controls each carry trade-offs: (1) Switch RPZ zone provisioning from XFR to local files - this fully eliminates the vulnerable code path but requires a manual or scripted process to keep RPZ data current, increasing operational overhead. (2) Disable 'rpz-nsip' and 'rpz-nsdname' trigger types from all RPZ zones served via XFR - this removes the trigger condition but reduces the enforcement coverage of your RPZ policy, potentially allowing NSDNAME/NSIP-based threats to go unfiltered. (3) Force Unbound to run in single-threaded mode (num-threads: 1) - this eliminates the race condition entirely but may degrade query throughput under load, which is operationally unacceptable for high-volume resolvers. For production DNS infrastructure relying on RPZ-over-XFR, upgrading to 1.25.1 is the only mitigation without functional or performance trade-offs.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-44608 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy