Executive Summary

CVE-2026-40622 is a vulnerability in the Unbound DNS software affecting versions 1.16.2 up to and including 1.25.0. It belongs to the 'ghost domain names' family of attacks. An attacker who controls a ghost zone can extend the ghost domain window by up to one cached TTL (time-to-live) value by querying a vulnerable Unbound instance. This happens because a single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS record set with the child-side apex NS record set, effectively extending the ghost domain window.

In configurations where the 'harden-referral-path: yes' option is enabled (which is not the default), no client query is needed since Unbound performs the query implicitly. The vulnerability was fixed in Unbound version 1.25.1, which prevents the extension of TTLs for parent NS records regardless of their trust.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker controlling a ghost zone to extend the ghost domain window, potentially enabling DNS cache poisoning or manipulation. By extending the TTL of certain DNS records improperly, an attacker might cause a vulnerable Unbound DNS resolver to serve outdated or malicious DNS information longer than intended. This can lead to misdirection of network traffic, interception, or disruption of services relying on DNS.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the extension of the ghost domain window by manipulating cached TTL values in Unbound DNS software. Detection would involve monitoring for unusual NS queries or unexpected changes in cached NS rrsets, especially those that overwrite expired parent-side referral NS records with child-side apex NS records.

Since the vulnerability can be triggered by a single client NS query or implicitly when 'harden-referral-path: yes' is enabled, network monitoring tools should be configured to detect abnormal NS query patterns or TTL extensions in DNS cache.

Specific commands are not provided in the available resources. However, typical detection might include using DNS query logging on Unbound or network packet capture tools (e.g., tcpdump or Wireshark) to analyze NS queries and responses for suspicious TTL behavior.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Unbound DNS software to version 1.25.1 or later, which contains a patch that prevents the extension of TTLs for parent NS records regardless of their trust.

If upgrading immediately is not possible, applying the manual patch provided for version 1.25.0 is recommended.

Additionally, reviewing and possibly disabling the non-default 'harden-referral-path: yes' configuration may reduce risk, as this setting causes Unbound to perform implicit queries that can trigger the vulnerability without client queries.

Useful 0 Not Useful 0