CVE-2026-33278
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service and Code Execution in Unbound DNSSEC Validator

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-33278
EUVD
EUVD-2026-31075
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nlnet_labs unbound to 1.25.0 (inc)
nlnet_labs unbound 1.25.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33278 is a vulnerability in the DNSSEC validator component of NLnet Labs Unbound versions 1.19.1 through 1.25.0. It occurs due to a bug in deep copying a data structure where a destination pointer is mistakenly overwritten with a source pointer. This happens when Unbound suspends validation because of NSEC3 computational budget exhaustion. The incorrect pointer leads to a dangling pointer that, when dereferenced, can cause the validator to crash or potentially allow an attacker to execute arbitrary code remotely.


How can this vulnerability impact me? :

This vulnerability can impact you by causing a denial of service (DoS) condition where the DNSSEC validator crashes, disrupting DNS resolution services. More severely, it may allow an attacker who controls a malicious signed DNS zone to execute arbitrary code remotely on the affected system, potentially leading to full system compromise.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability in Unbound versions 1.19.1 through 1.25.0, you should upgrade Unbound to version 1.25.1, which contains a patch fixing the pointer overwrite issue during deep copying.

Alternatively, if upgrading is not immediately possible, applying a manual patch to the affected versions can reduce the risk of exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart