EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Unbound DNS resolver software, specifically in versions 1.19.1 up to 1.25.0. The vulnerabilities include a critical flaw in the validation engine, as well as high-severity issues and medium-severity risks that threaten performance. If exploited, these flaws could allow unauthenticated remote attackers to execute arbitrary code on vulnerable servers, compromise security, and disrupt business operations. Business risk and impact are significant, with potential consequences including data breaches, system downtime, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Unbound DNS resolver software, specifically in versions 1.19.1 up to 1.25.0. The vulnerabilities include a critical flaw in the validation engine, as well as high-severity issues and medium-severity risks that threaten performance. If exploited, these flaws could allow unauthenticated remote attackers to execute arbitrary code on vulnerable servers, compromise security, and disrupt business operations. Business risk and impact are significant, with potential consequences including data breaches, system downtime, and reputational damage.[emaillocker id="1283"]
CVE-2026-33278 with a CVSS score of 9.8 – This critical flaw in the validation engine allows unauthenticated remote attackers to execute arbitrary code on vulnerable servers. It occurs when the resolver processes complex NSEC3 records, triggering a struct-assignment bug that overwrites a destination pointer.
CVE-2026-42944 with a CVSS score of 8.7 – This high-severity issue resolves a heap overflow flaw that occurs when Unbound encodes multiple EDNS options into a single reply packet. An attacker can attach excessive options to a query, triggering a heap overwrite.
CVE-2026-42959 with a CVSS score of 7.5 – This high-severity issue deals with a validator crash caused by malicious upstream replies, which can be exploited by a threat actor with a single query.
CVE-2026-42960 with a CVSS score of 10.0 – This critical-severity vulnerability highlights a potential cache poisoning threat via the authority section, allowing attackers to inject rogue records into a reply.
CVE-2026-44390 with a CVSS score of 5.3 – This medium-severity risk introduces an unbounded name compression flaw during large record processing, which can cause performance degradation.
CVE-2026-41292 with a CVSS score of 7.5 – This high-severity risk allows long lists of EDNS options to hold processing threads hostage, causing performance degradation.
Organizations must take immediate action to mitigate these threats, as the Unbound DNSSEC validation vulnerability poses a significant risk to their security and business operations. If exploited, this flaw could allow attackers to execute arbitrary code on vulnerable servers, compromising security, data, and business continuity.
RECOMMENDATION:
We recommend you to update Unbound to version 1.25.1.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/unbound-dnssec-validation-vulnerability/