CVE-2026-40622
Ghost Domain Names TTL Extension in Unbound
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: NLnet Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nlnet_labs | unbound | From 1.16.2 (inc) to 1.25.0 (inc) |
| nlnet_labs | unbound | 1.25.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40622 is a vulnerability in the Unbound DNS software affecting versions 1.16.2 up to and including 1.25.0. It belongs to the 'ghost domain names' family of attacks. An attacker who controls a ghost zone can extend the ghost domain window by up to one cached TTL (time-to-live) value by querying a vulnerable Unbound instance. This happens because a single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS record set with the child-side apex NS record set, effectively extending the ghost domain window.
In configurations where the 'harden-referral-path: yes' option is enabled (which is not the default), no client query is needed since Unbound performs the query implicitly. The vulnerability was fixed in Unbound version 1.25.1, which prevents the extension of TTLs for parent NS records regardless of their trust.
How can this vulnerability impact me? :
This vulnerability can allow an attacker controlling a ghost zone to extend the ghost domain window, potentially enabling DNS cache poisoning or manipulation. By extending the TTL of certain DNS records improperly, an attacker might cause a vulnerable Unbound DNS resolver to serve outdated or malicious DNS information longer than intended. This can lead to misdirection of network traffic, interception, or disruption of services relying on DNS.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the extension of the ghost domain window by manipulating cached TTL values in Unbound DNS software. Detection would involve monitoring for unusual NS queries or unexpected changes in cached NS rrsets, especially those that overwrite expired parent-side referral NS records with child-side apex NS records.
Since the vulnerability can be triggered by a single client NS query or implicitly when 'harden-referral-path: yes' is enabled, network monitoring tools should be configured to detect abnormal NS query patterns or TTL extensions in DNS cache.
Specific commands are not provided in the available resources. However, typical detection might include using DNS query logging on Unbound or network packet capture tools (e.g., tcpdump or Wireshark) to analyze NS queries and responses for suspicious TTL behavior.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Unbound DNS software to version 1.25.1 or later, which contains a patch that prevents the extension of TTLs for parent NS records regardless of their trust.
If upgrading immediately is not possible, applying the manual patch provided for version 1.25.0 is recommended.
Additionally, reviewing and possibly disabling the non-default 'harden-referral-path: yes' configuration may reduce risk, as this setting causes Unbound to perform implicit queries that can trigger the vulnerability without client queries.