CVE-2025-11411
published 2025-10-22CVE-2025-11411: NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS…
PriorityP429medium5.7CVSS 4.0
AVAACLATPPRNUINVCNVIHVANSCNSIHSAHEPCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.31%
22.8th percentile
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | unbound | < unbound 1.17.1-2+deb12u4 (bookworm) | unbound 1.17.1-2+deb12u4 (bookworm) |
| msrc | azl3_unbound_1.19.1-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_unbound_1.19.1-5_on_azure_linux_3.0 | — | — |
| msrc | cbl2_unbound_1.19.1-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_unbound_1.19.1-4_on_cbl_mariner_2.0 | — | — |
| nlnet_labs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | >= 0 < 1.13.1-1+deb11u7 | 1.13.1-1+deb11u7 |
| nlnetlabs | unbound | >= 0 < 1.17.1-2+deb12u4 | 1.17.1-2+deb12u4 |
| nlnetlabs | unbound | >= 0 < 1.22.0-2+deb13u1 | 1.22.0-2+deb13u1 |
| nlnetlabs | unbound | >= 0 < 1.24.2-1 | 1.24.2-1 |
| nlnetlabs | unbound | >= 0 < 1.13.1-1ubuntu5.14 | 1.13.1-1ubuntu5.14 |
| nlnetlabs | unbound | >= 0 < 1.19.2-1ubuntu3.7 | 1.19.2-1ubuntu3.7 |
| nlnetlabs | unbound | >= 0 < 1.22.0-2ubuntu2.2 | 1.22.0-2ubuntu2.2 |
CVSS provenance
nvdv4.05.7MEDIUMCVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv5.7MEDIUM
vendor_debian5.7MEDIUM
vendor_msrc5.7MEDIUM
vendor_redhat5.7MEDIUM
vendor_ubuntu5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
vendor_redhat·2026-05-20·CVSS 5.7
CVE-2026-42960 [MEDIUM] CWE-349 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
A flaw was found in Unbound's handling of DNS reply messages, complementing the earlier CVE-2025-11411 fix. Unbound accepts and caches address records from the additional section of DNS replies when they accompany authority section RRSets other than NS (such as MX records). A malicious actor who can inject crafted DNS responses—via packet spoofing or fragmentation attacks—can exploit this to poison Unbound's cache with attacker-controlled address records, potentially redirecting DNS resolution for affected domains.
Statement: The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate. Exploitation requires the attacker to successfully inject or spoof DNS response pa
Ubuntu
Unbound regression
vendor_ubuntu·2025-12-02·CVSS 5.7
CVE-2025-11411 [MEDIUM] Unbound regression
Title: Unbound regression
Summary: USN-7855-1 introduced a regression in Unbound
USN-7855-1 fixed vulnerabilities in Unbound. It was discovered that the fix
for CVE-2025-11411 was incomplete. This update fixes the problem.
Original advisory details:
Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan discovered that
Unbound incorrectly handled certain promiscuous NS RRSets. A remote
attacker could possibly use this issue to perform a domain hijack attack.
Instructions: In general, a standard system update will make all the necessary changes.
BSD
FreeBSD-SA-25:10.unbound: Cache poison in local-unbound service
bsd_advisories·2025-11-26·CVSS 5.7
CVE-2025-11411 [MEDIUM] FreeBSD-SA-25:10.unbound: Cache poison in local-unbound service
FreeBSD-SA-25:10.unbound Security Advisory
The FreeBSD Project
Topic: Cache poison in local-unbound service
Category: contrib
Module: unbound
Announced: 2025-11-26
Credits: Yuxiao Wu, Yunyi Zhang, Baojun Liu, Haixin Duan, Yang Luo,
and JianJun Chen from Tsinghua University along with TaoFei
Guo from Peking University.
Affects: All supported versions of FreeBSD.
Corrected: 2025-11-26 16:00:04 UTC (stable/15, 15.0-STABLE)
2025-11-26 16:13:20 UTC (releng/15.0, 15.0-RC4-p1)
2025-11-26 16:01:01 UTC (stable/14, 14.3-STABLE)
2025-11-26 16:13:30 UTC (releng/14.3, 14.3-RELEASE-p6)
2025-11-26 16:02:40 UTC (stable/13, 13.5-STABLE)
2025-11-26 16:13:41 UTC (releng/13.5, 13.5-RELEASE-p7)
CVE Name: CVE-2025-11411
For general information regarding FreeBSD Security Advisories,
including descriptions of
Ubuntu
Unbound vulnerability
vendor_ubuntu·2025-11-04
CVE-2025-11411 Unbound vulnerability
Title: Unbound vulnerability
Summary: Unbound could be made to hijack domains if it received specially crafted
network traffic.
Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan discovered that Unbound
incorrectly handled certain promiscuous NS RRSets. A remote attacker could
possibly use this issue to perform a domain hijack attack.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
unbound: Unbound domain hijacking via promiscuous records
vendor_redhat·2025-10-22·CVSS 5.7
CVE-2025-11411 [MEDIUM] CWE-349 unbound: Unbound domain hijacking via promiscuous records
unbound: Unbound domain hijacking via promiscuous records
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegati
Microsoft
Possible domain hijacking via promiscuous records in the authority section
vendor_msrc·2025-10-14·CVSS 5.7
CVE-2025-11411 [MEDIUM] CWE-349 Possible domain hijacking via promiscuous records in the authority section
Possible domain hijacking via promiscuous records in the authority section
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
NLnet Labs: NLnet Labs
Customer Action Required: Yes
Remediation: CBL-Mariner Relea
Debian
CVE-2025-11411: unbound - NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible ...
vendor_debian·2025·CVSS 5.7
CVE-2025-11411 [MEDIUM] CVE-2025-11411: unbound - NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible ...
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolic
GHSA
GHSA-x7f7-rggg-4jvv: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2026-05-20·CVSS 5.7
CVE-2026-42960 [MEDIUM] CWE-349 GHSA-x7f7-rggg-4jvv: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this poi
OSV
unbound regression
osv·2025-12-02·CVSS 5.7
CVE-2025-11411 [MEDIUM] unbound regression
unbound regression
USN-7855-1 fixed vulnerabilities in Unbound. It was discovered that the fix
for CVE-2025-11411 was incomplete. This update fixes the problem.
Original advisory details:
Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan discovered that
Unbound incorrectly handled certain promiscuous NS RRSets. A remote
attacker could possibly use this issue to perform a domain hijack attack.
OSV
CVE-2025-11411: NLnet Labs Unbound up to and including version 1
osv·2025-10-22·CVSS 5.7
CVE-2025-11411 [MEDIUM] CVE-2025-11411: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolic
GHSA
GHSA-6w73-x38p-26g5: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2025-10-22
CVE-2025-11411 [MEDIUM] CWE-349 GHSA-6w73-x38p-26g5: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolic
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records
bugzilla·2025-10-22·CVSS 5.7
CVE-2025-11411 [MEDIUM] CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records
CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records
NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data f
Bugzilla
CVE-2025-5791 kata-containers: `root` appended to group listings [fedora-42]
bugzilla·2025-06-06·CVSS 7.1
CVE-2025-5791 [HIGH] CVE-2025-5791 kata-containers: `root` appended to group listings [fedora-42]
CVE-2025-5791 kata-containers: `root` appended to group listings [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2370001
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
Addressed upstream in https://github.com/kata-containers/kata-containers/pull/11411.
Fixed in 3.18.0, which is now built for Fedora.
See https://issues.redhat.com/browse/OCPBUGS-57158 for the fix in OpenShift Sandboxed Containers, and explanation as to why it does not generally apply to Fedora users of kata-containers (it only impacts runk).
---
T
2025-10-22
Published