unbound

vrelease-1.25.1 scope: release Security

This release includes 11 security fixes for security teams reviewing exposed deployments.

Published 14d DNS & Service Discovery

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 11 known CVEs

Topics

dns dns-privacy dnssec recursor resolver

Affected surfaces

rce_ssrf breaking_upgrade

Summary

AI summary

Multiple security vulnerabilities fixed including remote code execution, heap overflow, DNSCrypt crashes, performance degradations, cache poisoning, and use-after-free.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Fix CVE-2026-42534, Jostle logic bypass degrades resolution performance. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash calculations. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Fix CVE-2026-44390, Unbounded name compression in certain cases causes degradation of service. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: high	—
Security	Medium	Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix CVE-2026-32792, Packet of death with DNSCrypt. Fix CVE-2026-32792, Packet of death with DNSCrypt. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix CVE-2026-40622, "Ghost domain name" variant. Fix CVE-2026-40622, "Ghost domain name" variant. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Fix CVE-2026-42960, Possible cache poisoning attack while following delegation. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—
Security	Medium	Fix CVE-2026-44608, Use after free and crash in RPZ code. Fix CVE-2026-44608, Use after free and crash in RPZ code. Source: granite4.1:8b-q6_K@2026-05-20 Confidence: low	—

Full changelog

Unbound 1.25.1

This release has a number of security fixes.

The release is signed with the OpenPGP software signing key that is
in use since Jan 1st 2026:

User ID: NLnet Labs releases signing key G2 <[email protected]>
Key ID: A144 323D EAAC DF45
Fingerprint: 2310 1869 0C4D 903E F419  146A A144 323D EAAC DF45

The key is available from https://nlnetlabs.nl/signing-keys .

This release consolidates security fixes for issues reported over
a period of time. There are fixes for CVE-2026-33278,
CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960,
CVE-2026-44390 and CVE-2026-44608.

Bug Fixes

Fix CVE-2026-33278, Possible remote code execution during DNSSEC
validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
Griffiths from 'calif.io' for the report.
Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
Zhang from Palo Alto Networks, for the report.
Fix CVE-2026-42534, Jostle logic bypass degrades resolution
performance. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.
Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
Fix CVE-2026-42960, Possible cache poisoning attack while following
delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
and JianJun Chen, Tsinghua University, for the report.
Fix CVE-2026-44390, Unbounded name compression in certain cases
causes degradation of service. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.

Security Fixes

CVE-2026-33278 — Possible remote code execution during DNSSEC validation
CVE-2026-42944 — Heap overflow and crash with multiple nsid, cookie, padding EDNS options
CVE-2026-42959 — Crash during DNSSEC validation of malicious content
CVE-2026-32792 — Packet of death with DNSCrypt
CVE-2026-40622 — 'Ghost domain name' variant
CVE-2026-41292 — Parsing long EDNS option lists degrades performance
CVE-2026-42534 — Jostle logic bypass degrades resolution performance
CVE-2026-42923 — Degradation of service with unbounded NSEC3 hash calculations
CVE-2026-42960 — Possible cache poisoning attack while following delegation
CVE-2026-44390 — Unbounded name compression causes degradation of service
CVE-2026-44608 — Use after free and crash in RPZ code