QSearchQSearch

CVE-2026-40622

7.5 HIGH

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could...

Published: 2026-05-20 · Last updated: 2026-05-26

Severity and scoring

CVSS
7.5 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
CWE-346

Affected products

VendorProduct
nlnetlabsunbound

Description

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-49235 When Routinator encounters a file via RRDP using a specifically crafted Document Type Definition, Routinator crashes (7.5 HIGH)
  • CVE-2026-49234 When sending a specifically crafted non-UTF-8 string as select-asn query parameter to the /api/v1/origins endpoint, Routinator crashes (7.5 HIGH)
  • CVE-2026-49233 Routinator does not properly check the module component of rsync URIs, which are used to create the file system paths for the Routinator ... (7.5 HIGH)
  • CVE-2026-44608 NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are m... (5.9 MEDIUM)
  • CVE-2026-44390 NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs... (5.3 MEDIUM)

Same CWE

  • CVE-2026-12304 Same-origin policy bypass in the Networking: Cookies component (9.1 CRITICAL)
  • CVE-2026-47825 Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios (8.6 HIGH)
  • CVE-2026-9595 Impact: When a user-configured proxy on webpack-dev-server has a broad context (e.g (5.3 MEDIUM)
  • CVE-2026-11624 The Model Context Protocol has a security warning advising servers to validate the "Origin" header on all incoming connections to prevent...
  • CVE-2026-45173 Idira Identity Browser Extension (Chrome, Firefox, and Edge builds) versions prior to 26.8.1 exhibit an origin validation flaw within its...