CVE-2026-33278
Analyzed Analyzed - Analysis Complete
Denial of Service and Code Execution in Unbound DNSSEC Validator

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-33278
EUVD
EUVD-2026-31075
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs unbound From 1.19.1 (inc) to 1.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-33278 is a vulnerability in the DNSSEC validator component of NLnet Labs Unbound versions 1.19.1 through 1.25.0. It occurs due to a bug in deep copying a data structure where a destination pointer is mistakenly overwritten with a source pointer. This happens when Unbound suspends validation because of NSEC3 computational budget exhaustion. The incorrect pointer leads to a dangling pointer that, when dereferenced, can cause the validator to crash or potentially allow an attacker to execute arbitrary code remotely.

Impact Analysis

This vulnerability can impact you by causing a denial of service (DoS) condition where the DNSSEC validator crashes, disrupting DNS resolution services. More severely, it may allow an attacker who controls a malicious signed DNS zone to execute arbitrary code remotely on the affected system, potentially leading to full system compromise.

Mitigation Strategies

To mitigate the vulnerability in Unbound versions 1.19.1 through 1.25.0, you should upgrade Unbound to version 1.25.1, which contains a patch fixing the pointer overwrite issue during deep copying.

Alternatively, if upgrading is not immediately possible, applying a manual patch to the affected versions can reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33278. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart