CVE-2026-44390
Analyzed Analyzed - Analysis Complete
Denial of Service in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-44390
EUVD
EUVD-2026-31088
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs unbound to 1.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44390 is a vulnerability in Unbound, a DNS resolver, affecting versions up to and including 1.25.0. It occurs when Unbound handles replies containing very large Resource Record sets (RRsets) that require name compression. If the RRsets contain records that do not share a suffix above the root, Unbound enters a code path where it fails to increment the compression counter properly. This causes Unbound to spend excessive time applying name compression, potentially locking the CPU until the entire packet is processed.

Impact Analysis

This vulnerability can lead to degraded performance of the Unbound DNS resolver and can eventually cause a denial of service (DoS) in well-orchestrated attacks. An attacker can exploit this by sending specially crafted DNS responses with very large RRsets that trigger the excessive name compression processing, effectively locking the CPU and disrupting normal DNS resolution.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Unbound to version 1.25.1 or later, which contains a patch that fixes the issue by properly incrementing the compression counter regardless of the compression tree lookup.

Alternatively, if upgrading is not immediately possible, you can manually apply the patch provided for Unbound 1.25.0 to address the vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves Unbound spending excessive time applying name compression to very large RRsets with records that do not share a suffix above the root, which can lead to degraded performance or denial of service.

To detect this vulnerability on your system, you can monitor Unbound's performance for unusually high CPU usage or delays when processing DNS responses with very large RRsets.

Since the vulnerability is triggered by queries for specially crafted malicious zones with very large RRsets, you can attempt to reproduce the issue by querying Unbound with large DNS responses that contain many records without shared suffixes.

Specific commands to detect or test this vulnerability are not provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart