CVE-2026-33278: Unbound DNSSEC Validator Allows Remote Code Execution

Summary

Unbound DNSSEC validation software has a vulnerability that could allow hackers to crash the system or execute malicious code. This is a serious issue because it could be exploited by anyone who controls a malicious domain name. To fix this, update to Unbound version 1.25.1 or later.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions
nlnetlabs	unbound	>= 1.19.1, < 1.25.1 `cpe:2.3:a:nlnetlabs:unbound::::::::`

Original title

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copyin...

Original description

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.

nvd CVSS4.0 9.1

Vulnerability type

CWE-416 Use After Free

CWE-672

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt