CVE-2026-44608
published 2026-05-20CVE-2026-44608: NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded…
PriorityP431medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
0.26%
16.8th percentile
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | unbound | >= 1.14.0 < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | >= 1.14.0 < 1.25.1 | 1.25.1 |
| ubuntu | unbound | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.04.6MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vendor_redhat4.6MEDIUM
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2026-06-09·CVSS 5.3
CVE-2026-32792 [MEDIUM] FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-26:33.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE)
2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2)
2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923,
CVE-2026-42944, CVE-2026-42959, CVE-2026-42960,
CVE-2026-44390, CVE-2026-44608
For general information regarding FreeBSD Security Advisories,
including descriptio
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 4.6
CVE-2026-42959 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected U
Red Hat
unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload
vendor_redhat·2026-05-20·CVSS 4.6
CVE-2026-44608 [MEDIUM] CWE-367 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload
unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload
A flaw was found in Unbound. When operating in a multi-threaded configuration with specific Response Policy Zones (RPZ) using 'rpz-nsip' or 'rpz-nsdname' triggers, a locking inconsistency during an RPZ zone transfer (XFR) reload can occur. This timing issue may allow an adversary to trigger a heap use-after-free vulnerability, leading to a system crash and a Denial of Service (DoS).
Mitigation: To mitigate this issue, avoid using `rpz-nsip` or `rpz-nsdname` triggers within Response Policy Zones (RPZ) that are configured for zone transfer (XFR) reloads. Alternatively, configure Unbound to use local RPZ files instead of XFR for these zones, as local RPZ files do not trigger the vulnerability. A restart o
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-05-20·CVSS 4.6
CVE-2026-33278 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10
VulDB
NLnet Labs Unbound up to 1.25.0 RPZ File improper resource locking (Nessus ID 315774)
vuldb·2026-05-23·CVSS 4.6
CVE-2026-44608 [MEDIUM] NLnet Labs Unbound up to 1.25.0 RPZ File improper resource locking (Nessus ID 315774)
A vulnerability has been found in NLnet Labs Unbound up to 1.25.0 and classified as problematic. This impacts an unknown function of the component RPZ File Handler. Performing a manipulation results in improper resource locking.
This vulnerability is reported as CVE-2026-44608. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
GHSA
GHSA-fx8q-9cm5-75v9: NLnet Labs Unbound 1
ghsa_unreviewed·2026-05-20
CVE-2026-44608 [MEDIUM] CWE-413 GHSA-fx8q-9cm5-75v9: NLnet Labs Unbound 1
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbo
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload [fedora-all]
bugzilla·2026-05-21·CVSS 4.6
CVE-2026-44608 [MEDIUM] CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload [fedora-all]
CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload
bugzilla·2026-05-20·CVSS 4.6
CVE-2026-44608 [MEDIUM] CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload
CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thr
2026-05-20
Published