CVE-2026-33278

9.8 CRITICAL

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service a...

Published: 2026-05-20 · Last updated: 2026-05-20

Severity and scoring

CVSS: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416, CWE-672

Affected products

Vendor	Product
nlnetlabs	unbound

Description

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33278
[Vendor advisory]https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt

Related CVEs

Same vendor

CVE-2026-44608 — NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are m... (5.9 MEDIUM)
CVE-2026-44390 — NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs... (5.3 MEDIUM)
CVE-2026-42960 — NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section (10.0 CRITICAL)
CVE-2026-42959 — NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a cr... (7.5 HIGH)
CVE-2026-42944 — NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSI... (7.5 HIGH)

Same CWE

CVE-2026-53462 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.9 MEDIUM)
CVE-2026-46523 — ImageMagick is free and open-source software used for editing and manipulating digital images (6.2 MEDIUM)
CVE-2026-52757 — Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable me... (4.4 MEDIUM)
CVE-2026-49496 — Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when... (6.1 MEDIUM)
CVE-2026-45782 — Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads