Vulnerability-Lookup

RHSA-2026:19752

Vulnerability from csaf_redhat - Published: 2026-05-20 17:20 - Updated: 2026-05-21 02:25

Summary

Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

Severity

Important

Notes

Topic: An update for Red Hat Hardened Images RPMs is now available.

Details: This update includes the following RPMs: unbound: * python3-unbound-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-anchor-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-devel-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-dracut-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-libs-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-munin-1.25.1-0.1.hum1 (noarch) * unbound-utils-1.25.1-0.1.hum1 (aarch64, x86_64) * unbound-1.25.1-0.1.hum1.src (src)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-33278

A flaw was discovered in Unbound’s DNSSEC validator can leave it using an invalid memory pointer after certain DS sub-query validations fail due to NSEC3 budget exhaustion. This may cause crashes and could potentially allow arbitrary code execution.

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-416 - Use After Free

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:unbound-main@aarch64	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:unbound-main@noarch	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:unbound-main@src	—	Vendor Fix fix
Unresolved product id: Red Hat Hardened Images:unbound-main@x86_64	—	Vendor Fix fix

Threats

Impact Important

CVE-2026-42944

A flaw was found in Unbound, a Domain Name System (DNS) resolver. A remote attacker could trigger a heap overflow by sending specially crafted DNS reply packets. This occurs when Unbound attempts to encode multiple Name Server Identifier (NSID) or Extension Mechanisms for DNS (EDNS) Cookie options, or EDNS Padding options, and these options are enabled. Successful exploitation of this vulnerability could lead to a denial of service (DoS), making the Unbound service unavailable.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:unbound-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:unbound-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:unbound-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:unbound-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

CVE-2026-42959

A flaw was found in Unbound's DNSSEC validator when constructing chase-reply messages for validation. The code uses the wrong counter to calculate write offsets for ADDITIONAL section resource record sets. When a DNAME chain is combined with authority filtering, an uninitialized array slot is created that the validator later dereferences, causing an immediate process crash. Any application or infrastructure relying on Unbound for DNS resolution could be forced to exit unexpectedly, resulting in a denial-of-service condition.

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-824 - Access of Uninitialized Pointer

Affected products

Fixed 4 products

Product	Version	Remediation
Unresolved product id: Red Hat Hardened Images:unbound-main@aarch64	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:unbound-main@noarch	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:unbound-main@src	—	Vendor Fix fix Workaround
Unresolved product id: Red Hat Hardened Images:unbound-main@x86_64	—	Vendor Fix fix Workaround

Threats

Impact Important

References

19 references

URL	Category
https://access.redhat.com/errata/RHSA-2026:19752	self
https://images.redhat.com/	external
https://access.redhat.com/security/cve/CVE-2026-42959	external
https://access.redhat.com/security/updates/classi…	external
https://access.redhat.com/security/cve/CVE-2026-33278	external
https://access.redhat.com/security/cve/CVE-2026-42944	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2026-33278	self
https://bugzilla.redhat.com/show_bug.cgi?id=2479808	external
https://www.cve.org/CVERecord?id=CVE-2026-33278	external
https://nvd.nist.gov/vuln/detail/CVE-2026-33278	external
https://access.redhat.com/security/cve/CVE-2026-42944	self
https://bugzilla.redhat.com/show_bug.cgi?id=2479774	external
https://www.cve.org/CVERecord?id=CVE-2026-42944	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42944	external
https://access.redhat.com/security/cve/CVE-2026-42959	self
https://bugzilla.redhat.com/show_bug.cgi?id=2479806	external
https://www.cve.org/CVERecord?id=CVE-2026-42959	external
https://nvd.nist.gov/vuln/detail/CVE-2026-42959	external

Acknowledgments

Palo Alto Qifan Zhang

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for Red Hat Hardened Images RPMs is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "This update includes the following RPMs:\n\nunbound:\n  * python3-unbound-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-anchor-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-devel-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-dracut-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-libs-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-munin-1.25.1-0.1.hum1 (noarch)\n  * unbound-utils-1.25.1-0.1.hum1 (aarch64, x86_64)\n  * unbound-1.25.1-0.1.hum1.src (src)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:19752",
        "url": "https://access.redhat.com/errata/RHSA-2026:19752"
      },
      {
        "category": "external",
        "summary": "https://images.redhat.com/",
        "url": "https://images.redhat.com/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42959",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42959"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-33278",
        "url": "https://access.redhat.com/security/cve/CVE-2026-33278"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-42944",
        "url": "https://access.redhat.com/security/cve/CVE-2026-42944"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19752.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-05-21T02:25:37+00:00",
      "generator": {
        "date": "2026-05-21T02:25:37+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:19752",
      "initial_release_date": "2026-05-20T17:20:01+00:00",
      "revision_history": [
        {
          "date": "2026-05-20T17:20:01+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-20T18:18:06+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-21T02:25:37+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Hardened Images",
                "product": {
                  "name": "Red Hat Hardened Images",
                  "product_id": "Red Hat Hardened Images",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:hummingbird:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Hardened Images"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "unbound-main@aarch64",
                "product": {
                  "name": "unbound-main@aarch64",
                  "product_id": "unbound-main@aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python3-unbound@1.25.1-0.1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "unbound-main@x86_64",
                "product": {
                  "name": "unbound-main@x86_64",
                  "product_id": "unbound-main@x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python3-unbound@1.25.1-0.1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "unbound-main@src",
                "product": {
                  "name": "unbound-main@src",
                  "product_id": "unbound-main@src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/unbound@1.25.1-0.1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "unbound-main@noarch",
                "product": {
                  "name": "unbound-main@noarch",
                  "product_id": "unbound-main@noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/unbound-munin@1.25.1-0.1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-main@aarch64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:unbound-main@aarch64"
        },
        "product_reference": "unbound-main@aarch64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-main@noarch as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:unbound-main@noarch"
        },
        "product_reference": "unbound-main@noarch",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-main@src as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:unbound-main@src"
        },
        "product_reference": "unbound-main@src",
        "relates_to_product_reference": "Red Hat Hardened Images"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "unbound-main@x86_64 as a component of Red Hat Hardened Images",
          "product_id": "Red Hat Hardened Images:unbound-main@x86_64"
        },
        "product_reference": "unbound-main@x86_64",
        "relates_to_product_reference": "Red Hat Hardened Images"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Qifan Zhang"
          ],
          "organization": "Palo Alto"
        }
      ],
      "cve": "CVE-2026-33278",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "discovery_date": "2026-05-19T11:46:56.937000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2479808"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was discovered in Unbound\u2019s DNSSEC validator can leave it using an invalid memory pointer after certain DS sub-query validations fail due to NSEC3 budget exhaustion. This may cause crashes and could potentially allow arbitrary code execution.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "unbound: Unbound DNSSEC Validator Use-After-Free via Deep Copy Pointer Overwrite Leading to DoS and Possible Remote Code Execution",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:unbound-main@aarch64",
          "Red Hat Hardened Images:unbound-main@noarch",
          "Red Hat Hardened Images:unbound-main@src",
          "Red Hat Hardened Images:unbound-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-33278"
        },
        {
          "category": "external",
          "summary": "RHBZ#2479808",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479808"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-33278",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-33278"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33278",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33278"
        }
      ],
      "release_date": "2026-05-20T11:33:59.504000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-20T17:20:01+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:19752"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "unbound: Unbound DNSSEC Validator Use-After-Free via Deep Copy Pointer Overwrite Leading to DoS and Possible Remote Code Execution"
    },
    {
      "cve": "CVE-2026-42944",
      "discovery_date": "2026-05-19T09:59:55.126000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2479774"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Unbound, a Domain Name System (DNS) resolver. A remote attacker could trigger a heap overflow by sending specially crafted DNS reply packets. This occurs when Unbound attempts to encode multiple Name Server Identifier (NSID) or Extension Mechanisms for DNS (EDNS) Cookie options, or EDNS Padding options, and these options are enabled. Successful exploitation of this vulnerability could lead to a denial of service (DoS), making the Unbound service unavailable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:unbound-main@aarch64",
          "Red Hat Hardened Images:unbound-main@noarch",
          "Red Hat Hardened Images:unbound-main@src",
          "Red Hat Hardened Images:unbound-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42944"
        },
        {
          "category": "external",
          "summary": "RHBZ#2479774",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479774"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42944",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42944"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42944",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42944"
        }
      ],
      "release_date": "2026-05-20T11:33:22.428000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-20T17:20:01+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:19752"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Qifan Zhang"
          ],
          "organization": "Palo Alto"
        }
      ],
      "cve": "CVE-2026-42959",
      "cwe": {
        "id": "CWE-824",
        "name": "Access of Uninitialized Pointer"
      },
      "discovery_date": "2026-05-19T11:23:24.234000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2479806"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Unbound\u0027s DNSSEC validator when constructing chase-reply messages for validation. The code uses the wrong counter to calculate write offsets for ADDITIONAL section resource record sets. When a DNAME chain is combined with authority filtering, an uninitialized array slot is created that the validator later dereferences, causing an immediate process crash. Any application or infrastructure relying on Unbound for DNS resolution could be forced to exit unexpectedly, resulting in a denial-of-service condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The Red Hat Product Security team has assessed the severity of this vulnerability as Important, given that it can be remotely triggered without authentication or user interaction via a single crafted DNS query. Successful exploitation allows an attacker to crash the Unbound resolver process, disrupting DNS resolution for all dependent services. The vulnerability\u0027s root cause is the use of incorrect counters to calculate write offsets, leading to dereference of an uninitialized pointer and subsequent denial-of-service.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Hardened Images:unbound-main@aarch64",
          "Red Hat Hardened Images:unbound-main@noarch",
          "Red Hat Hardened Images:unbound-main@src",
          "Red Hat Hardened Images:unbound-main@x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-42959"
        },
        {
          "category": "external",
          "summary": "RHBZ#2479806",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479806"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-42959",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-42959"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-42959",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42959"
        }
      ],
      "release_date": "2026-05-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-20T17:20:01+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
          "product_ids": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:19752"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Hardened Images:unbound-main@aarch64",
            "Red Hat Hardened Images:unbound-main@noarch",
            "Red Hat Hardened Images:unbound-main@src",
            "Red Hat Hardened Images:unbound-main@x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages"
    }
  ]
}

CVE-2026-33278 (GCVE-0-2026-33278)

Vulnerability from cvelistv5 – Published: 2026-05-20 09:18 – Updated: 2026-05-20 12:13

Title

Possible arbitrary code execution during DNSSEC validation

Summary

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.

Severity ?

9.1 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Red

CWE

CWE-416 - Use After Free
CWE-672 - Operation on a Resource after Expiration or Release

Assigner

NLnet Labs

References

1 reference

URL	Tags
https://www.nlnetlabs.nl/downloads/unbound/CVE-20…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
NLnet Labs	Unbound	Affected: 1.19.1 , < 1.25.1 (semver)

Date Public ?

2026-05-20 00:00

Credits

Qifan Zhang (Palo Alto Networks)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33278",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T12:13:01.681597Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T12:13:09.692Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Unbound",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "1.25.1",
              "status": "affected",
              "version": "1.19.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qifan Zhang (Palo Alto Networks)"
        }
      ],
      "datePublic": "2026-05-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination\u0027s pointer with the source\u0027s pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Red",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "CWE-416: Use After Free",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-672",
              "description": "CWE-672: Operation on a Resource after Expiration or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T09:18:15.225Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed starting with version 1.25.1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-15T00:00:00.000Z",
          "value": "Issue reported by Qifan Zhang"
        },
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "NLnet Labs shares patch"
        },
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "Qifan Zhang verifies patch"
        },
        {
          "lang": "en",
          "time": "2026-05-20T00:00:00.000Z",
          "value": "Fixes released with version 1.25.1"
        }
      ],
      "title": "Possible arbitrary code execution during DNSSEC validation",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2026-33278",
    "datePublished": "2026-05-20T09:18:15.225Z",
    "dateReserved": "2026-05-07T10:07:51.853Z",
    "dateUpdated": "2026-05-20T12:13:09.692Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42944 (GCVE-0-2026-42944)

Vulnerability from cvelistv5 – Published: 2026-05-20 09:20 – Updated: 2026-05-20 13:38

Title

Heap overflow with multiple NSID, COOKIE, PADDING EDNS options

Summary

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red

CWE

CWE-197 - Numeric Truncation Error
CWE-787 - Out-of-bounds Write

Assigner

NLnet Labs

References

1 reference

URL	Tags
https://www.nlnetlabs.nl/downloads/unbound/CVE-20…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
NLnet Labs	Unbound	Affected: 1.14.0 , < 1.25.1 (semver)

Date Public ?

2026-05-20 00:00

Credits

Qifan Zhang (Palo Alto Networks)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42944",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:37:32.347565Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:38:17.529Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Unbound",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "1.25.1",
              "status": "affected",
              "version": "1.14.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qifan Zhang (Palo Alto Networks)"
        }
      ],
      "datePublic": "2026-05-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options (\u0027nsid\u0027, \u0027answer-cookie\u0027, \u0027pad-responses\u0027 (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-197",
              "description": "CWE-197: Numeric Truncation Error",
              "lang": "en",
              "type": "CWE"
            },
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T09:20:23.906Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed starting with version 1.25.1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-26T00:00:00.000Z",
          "value": "Issue reported by Qifan Zhang"
        },
        {
          "lang": "en",
          "time": "2026-04-28T00:00:00.000Z",
          "value": "NLnet Labs shares patch"
        },
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "Qifan Zhang verifies patch"
        },
        {
          "lang": "en",
          "time": "2026-05-20T00:00:00.000Z",
          "value": "Fixes released with version 1.25.1"
        }
      ],
      "title": "Heap overflow with multiple NSID, COOKIE, PADDING EDNS options",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2026-42944",
    "datePublished": "2026-05-20T09:20:23.906Z",
    "dateReserved": "2026-05-07T10:07:51.833Z",
    "dateUpdated": "2026-05-20T13:38:17.529Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42959 (GCVE-0-2026-42959)

Vulnerability from cvelistv5 – Published: 2026-05-20 09:20 – Updated: 2026-05-20 13:12

Title

Crash during DNSSEC validation of malicious content

Summary

NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.

Severity ?

8.7 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red

CWE

CWE-824 - Access of Uninitialized Pointer

Assigner

NLnet Labs

References

1 reference

URL	Tags
https://www.nlnetlabs.nl/downloads/unbound/CVE-20…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
NLnet Labs	Unbound	Affected: 0 , < 1.25.1 (semver)

Date Public ?

2026-05-20 00:00

Credits

Qifan Zhang (Palo Alto Networks)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42959",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:12:27.057310Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:12:56.258Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Unbound",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "1.25.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qifan Zhang (Palo Alto Networks)"
        }
      ],
      "datePublic": "2026-05-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-824",
              "description": "CWE-824: Access of Uninitialized Pointer",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T09:20:45.766Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed starting with version 1.25.1"
        },
        {
          "lang": "en",
          "value": "Configuring \u0027val-clean-additional: no\u0027 (non-default) bypasses the vulnerable code in vulnerable versions"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-15T00:00:00.000Z",
          "value": "Issue reported by Qifan Zhang"
        },
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "NLnet Labs shares patch"
        },
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "Qifan Zhang verifies patch"
        },
        {
          "lang": "en",
          "time": "2026-05-20T00:00:00.000Z",
          "value": "Fixes released with version 1.25.1"
        }
      ],
      "title": "Crash during DNSSEC validation of malicious content",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2026-42959",
    "datePublished": "2026-05-20T09:20:45.766Z",
    "dateReserved": "2026-05-07T10:07:51.848Z",
    "dateUpdated": "2026-05-20T13:12:56.258Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:19752

CVE-2026-33278 (GCVE-0-2026-33278)

CVE-2026-42944 (GCVE-0-2026-42944)

CVE-2026-42959 (GCVE-0-2026-42959)

Tags

Sightings

Nomenclature