cbcvebase.
CVE-2026-33278
published 2026-05-20

CVE-2026-33278: NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.27%
66.2th percentile
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.

Affected

4 ranges
VendorProductVersion rangeFixed in
nlnet_labsunbound>= 1.19.1 < 1.25.11.25.1
nlnetlabsunbound
nlnetlabsunbound>= 1.19.1 < 1.25.11.25.1
ubuntuunbound

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: attacker controls a malicious DNSSEC-signed zone and sends queries to a vulnerable Unbound instance, causing DS sub-query validation to suspend due to NSEC3 computational budget exhaustion, which activates the deep-copy code path containing the struct-assignment bug.
  • The vulnerable code path is in Unbound's DNSSEC validator during deep-copying of response messages when DS sub-queries suspend due to NSEC3 budget exhaustion. The struct-assignment bug overwrites the destination's rrsets pointer with the source's pointer, creating a dangling pointer after the sub-query region is freed.
  • ·The vulnerability is only reachable when NSEC3 computational budget exhaustion occurs during DS sub-query validation — a condition introduced in Unbound 1.19.1. Instances running versions prior to 1.19.1 are not affected by this specific code path.
  • ·Red Hat Enterprise Linux 6 is out of support scope for this CVE; RHEL 7, 8, 9, 10, Red Hat Hardened Images, and Red Hat OpenShift Container Platform 4 (rhcos) are all listed as Affected.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.1CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
vendor_redhat9.1CRITICAL
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.