CVE-2026-44608
Heap Use-After-Free in Unbound DNS Server
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: NLnet Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nlnet_labs | unbound | From 1.14.0 (inc) to 1.25.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-413 | The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44608 is a locking inconsistency vulnerability in NLnet Labs Unbound versions 1.14.0 up to and including 1.25.0. It occurs in multi-threaded environments when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers undergoes an RPZ XFR reload. If an XFR happens simultaneously while another thread reads the RPZ zone, improper locking can cause the reader thread to access memory that has already been freed, leading to a heap use-after-free and an eventual crash.
Local RPZ files do not trigger this vulnerability. The issue was fixed in Unbound version 1.25.1 by patching the locking code.
How can this vulnerability impact me? :
This vulnerability can cause the Unbound DNS resolver to crash due to a heap use-after-free condition when specific conditions are met. This can lead to denial of service (DoS) as the service may become unavailable or unstable.
An adversary could exploit this vulnerability if they can trigger the RPZ XFR reload and RPZ zone triggers simultaneously in a multi-threaded environment, potentially causing service disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in multi-threaded Unbound DNS servers running versions 1.14.0 up to 1.25.0 that have an RPZ zone configured with 'rpz-nsip' or 'rpz-nsdname' triggers and are performing an RPZ XFR reload.
To detect if your system is vulnerable, check the Unbound version and configuration for RPZ zones using 'rpz-nsip' or 'rpz-nsdname' triggers.
- Check Unbound version: `unbound-control -V` or `unbound -h`
- Inspect Unbound configuration files for RPZ zones with 'rpz-nsip' or 'rpz-nsdname' triggers, e.g., `grep -r rpz-nsip /etc/unbound/` or `grep -r rpz-nsdname /etc/unbound/`
- Verify if multi-threading is enabled in Unbound configuration (look for 'num-threads' setting)
Monitoring for crashes or heap use-after-free errors in Unbound logs during RPZ XFR reloads may also indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Unbound to version 1.25.1 or later, which contains a patch fixing the locking inconsistency.
If upgrading immediately is not possible, applying a manual patch to version 1.25.0 can mitigate the issue.
As a temporary measure, consider disabling RPZ zones with 'rpz-nsip' or 'rpz-nsdname' triggers or avoid RPZ XFR reloads until the patch or upgrade is applied.