CVE-2026-44608
Analyzed Analyzed - Analysis Complete
Heap Use-After-Free in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-08
NVD
CVE-2026-44608
EUVD
EUVD-2026-31087
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs unbound From 1.14.0 (inc) to 1.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-413 The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-44608 is a locking inconsistency vulnerability in NLnet Labs Unbound versions 1.14.0 up to and including 1.25.0. It occurs in multi-threaded environments when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers undergoes an RPZ XFR reload. If an XFR happens simultaneously while another thread reads the RPZ zone, improper locking can cause the reader thread to access memory that has already been freed, leading to a heap use-after-free and an eventual crash.

Local RPZ files do not trigger this vulnerability. The issue was fixed in Unbound version 1.25.1 by patching the locking code.

Impact Analysis

This vulnerability can cause the Unbound DNS resolver to crash due to a heap use-after-free condition when specific conditions are met. This can lead to denial of service (DoS) as the service may become unavailable or unstable.

An adversary could exploit this vulnerability if they can trigger the RPZ XFR reload and RPZ zone triggers simultaneously in a multi-threaded environment, potentially causing service disruption.

Detection Guidance

This vulnerability occurs in multi-threaded Unbound DNS servers running versions 1.14.0 up to 1.25.0 that have an RPZ zone configured with 'rpz-nsip' or 'rpz-nsdname' triggers and are performing an RPZ XFR reload.

To detect if your system is vulnerable, check the Unbound version and configuration for RPZ zones using 'rpz-nsip' or 'rpz-nsdname' triggers.

  • Check Unbound version: `unbound-control -V` or `unbound -h`
  • Inspect Unbound configuration files for RPZ zones with 'rpz-nsip' or 'rpz-nsdname' triggers, e.g., `grep -r rpz-nsip /etc/unbound/` or `grep -r rpz-nsdname /etc/unbound/`
  • Verify if multi-threading is enabled in Unbound configuration (look for 'num-threads' setting)

Monitoring for crashes or heap use-after-free errors in Unbound logs during RPZ XFR reloads may also indicate exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Unbound to version 1.25.1 or later, which contains a patch fixing the locking inconsistency.

If upgrading immediately is not possible, applying a manual patch to version 1.25.0 can mitigate the issue.

As a temporary measure, consider disabling RPZ zones with 'rpz-nsip' or 'rpz-nsdname' triggers or avoid RPZ XFR reloads until the patch or upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart