CVE-2024-8508
published 2024-10-03CVE-2024-8508: NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.81%
52.2th percentile
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | unbound | < unbound 1.17.1-2+deb12u3 (bookworm) | unbound 1.17.1-2+deb12u3 (bookworm) |
| msrc | azl3_unbound_1.19.1-4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_unbound_1.19.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nlnet_labs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | < 1.21.1 | 1.21.1 |
| nlnetlabs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u4 | 1.13.1-1+deb11u4 |
| nlnetlabs | unbound | >= 0 < 1.17.1-2+deb12u3 | 1.17.1-2+deb12u3 |
| nlnetlabs | unbound | >= 0 < 1.21.1-1 | 1.21.1-1 |
| nlnetlabs | unbound | >= 0 < 1.21.1-1 | 1.21.1-1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
ghsa5.3MEDIUM
osv5.3MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6522-r5fq-99gw: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2026-05-20·CVSS 5.3
CVE-2026-44390 [MEDIUM] CWE-407 GHSA-6522-r5fq-99gw: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression li
GHSA
hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression
ghsa·2026-05-07·CVSS 5.3
CVE-2024-8508 [MEDIUM] CWE-407 hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression
hickory-proto vulnerable to CPU exhaustion during message encoding due to O(n²) name compression
During message encoding, `hickory-proto`'s `BinEncoder` stores pointers to labels that are candidates for name compression in a `Vec)>`. The name compression logic then searches for matches with a linear scan.
A malicious message with many records can both introduce many candidate labels, and invoke this linear scan many times. This can amplify CPU exhaustion in DoS attacks.
This is similar to [CVE-2024-8508](https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt).
### Reporter
Qifan Zhang, Palo Alto Networks
OSV
CVE-2024-8508: NLnet Labs Unbound up to and including version 1
osv·2024-10-03·CVSS 5.3
CVE-2024-8508 [MEDIUM] CVE-2024-8508: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the numbe
GHSA
GHSA-g7cv-x9wx-38gx: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2024-10-03
CVE-2024-8508 [MEDIUM] CWE-1284 GHSA-g7cv-x9wx-38gx: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the numbe
Red Hat
unbound: Unbound: Denial of Service due to excessive resource consumption with large DNS Resource Record Sets
vendor_redhat·2026-05-20·CVSS 5.3
CVE-2026-44390 [MEDIUM] CWE-1050 unbound: Unbound: Denial of Service due to excessive resource consumption with large DNS Resource Record Sets
unbound: Unbound: Denial of Service due to excessive resource consumption with large DNS Resource Record Sets
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression
Ubuntu
Unbound vulnerability
vendor_ubuntu·2024-10-22
CVE-2024-8508 Unbound vulnerability
Title: Unbound vulnerability
Summary: Unbound could be made to stop responding if it received specially crafted
DNS traffic.
Toshifumi Sakaguchi discovered that Unbound incorrectly handled name
compression for large RRsets, which could lead to excessive CPU usage.
An attacker could potentially use this issue to cause a denial of service
by sending specially crafted DNS responses.
Instructions: In general, a standard system update will make all the necessary changes.
BSD
OpenBSD 7.5 Errata 011: SECURITY FIX
bsd_advisories·2024-10-14·CVSS 5.3
CVE-2024-8508 [MEDIUM] OpenBSD 7.5 Errata 011: SECURITY FIX
OpenBSD 7.5 Errata 011: SECURITY FIX
011: SECURITY FIX: October 14, 2024
All architectures Querying a maliciously constructed DNS zone could result in degraded performance or denial of service. CVE-2024-8508
Microsoft
Unbounded name compression could lead to Denial of Service
vendor_msrc·2024-10-08·CVSS 5.3
CVE-2024-8508 [MEDIUM] CWE-1284 Unbounded name compression could lead to Denial of Service
Unbounded name compression could lead to Denial of Service
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
NLnet Labs: NLnet Labs
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference:
Red Hat
unbound: Unbounded name compression could lead to Denial of Service
vendor_redhat·2024-10-03·CVSS 5.3
CVE-2024-8508 [MEDIUM] CWE-606 unbound: Unbounded name compression could lead to Denial of Service
unbound: Unbounded name compression could lead to Denial of Service
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was
Debian
CVE-2024-8508: unbound - NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability w...
vendor_debian·2024·CVSS 5.3
CVE-2024-8508 [MEDIUM] CVE-2024-8508: unbound - NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability w...
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the numbe
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44390 unbound: Unbound: Denial of Service due to excessive resource consumption with large DNS Resource Record Sets
bugzilla·2026-05-20·CVSS 5.3
CVE-2026-44390 [MEDIUM] CVE-2026-44390 unbound: Unbound: Denial of Service due to excessive resource consumption with large DNS Resource Record Sets
CVE-2026-44390 unbound: Unbound: Denial of Service due to excessive resource consumption with large DNS Resource Record Sets
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply n
Bugzilla
CVE-2024-8508 unbound: Unbounded name compression could lead to Denial of Service
bugzilla·2024-10-03·CVSS 5.3
CVE-2024-8508 [MEDIUM] CVE-2024-8508 unbound: Unbounded name compression could lead to Denial of Service
CVE-2024-8508 unbound: Unbounded name compression could lead to Denial of Service
NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the who
2024-10-03
Published