CVE-2026-44390
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Service in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-44390
EUVD
EUVD-2026-31088
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnet_labs unbound to 1.25.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-44390 is a vulnerability in Unbound, a DNS resolver, affecting versions up to and including 1.25.0. It occurs when Unbound handles replies containing very large Resource Record sets (RRsets) that require name compression. If the RRsets contain records that do not share a suffix above the root, Unbound enters a code path where it fails to increment the compression counter properly. This causes Unbound to spend excessive time applying name compression, potentially locking the CPU until the entire packet is processed.


How can this vulnerability impact me? :

This vulnerability can lead to degraded performance of the Unbound DNS resolver and can eventually cause a denial of service (DoS) in well-orchestrated attacks. An attacker can exploit this by sending specially crafted DNS responses with very large RRsets that trigger the excessive name compression processing, effectively locking the CPU and disrupting normal DNS resolution.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Unbound to version 1.25.1 or later, which contains a patch that fixes the issue by properly incrementing the compression counter regardless of the compression tree lookup.

Alternatively, if upgrading is not immediately possible, you can manually apply the patch provided for Unbound 1.25.0 to address the vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart