Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 1.3%top 34%

CVE-2026-33278: CWE-416: Use After Free in NLnet Labs Unbound

0
Critical
VulnerabilityCVE-2026-33278cvecve-2026-33278cwe-416cwe-672
Published: 05/20/2026 (05/20/2026, 09:18:15 UTC)
Source: CVE Database V5
Vendor/Project: NLnet Labs
Product: Unbound

Description

NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.

CVSS v4.0

Score 9.1critical

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
High
Subsq. Integrity
High
Subsq. Availability
High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Red

Affected software

GitHub Actionsmore threats →ai
nlnetlabs/unbound
pkg:github/nlnetlabs/unbound
Affected versions
=1.19.1<=1.25.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 21:43:36 UTC

Technical Analysis

CVE-2026-33278 is a use-after-free vulnerability in NLnet Labs Unbound DNSSEC validator affecting versions 1.19.1 up to and including 1.25.0. The issue arises when Unbound deep-copies response messages to preserve them across memory region teardown during DS sub-queries suspended due to NSEC3 computational budget exhaustion. A struct-assignment bug overwrites the destination pointer with the source pointer, resulting in a dangling pointer after the sub-query memory region is freed. When the validator resumes, it dereferences this dangling pointer, causing a crash or potentially enabling arbitrary code execution. The vulnerability has a CVSS 4.0 score of 9.1 (critical). Unbound 1.25.1 contains a fix that corrects the pointer handling during deep copying.

Potential Impact

The vulnerability can be exploited remotely without authentication by an adversary controlling a malicious signed DNS zone. It can cause denial of service by crashing the Unbound DNS resolver and may lead to remote code execution due to use-after-free memory corruption. This poses a critical risk to systems running vulnerable Unbound versions, potentially impacting DNS resolution reliability and security.

Mitigation Recommendations

A patch fixing this vulnerability is available in Unbound version 1.25.1. Users should upgrade to version 1.25.1 or later to remediate this issue. Red Hat has issued security advisories and updates for affected Red Hat Enterprise Linux 10 packages that include this fix. Applying these official updates is the recommended remediation. Patch status is confirmed by vendor advisories linked in the references.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
NLnet Labs
Date Reserved
2026-05-07T10:07:51.853Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null
Vendor Advisory Urls
[{"url":"https://access.redhat.com/security/cve/CVE-2026-33278","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:23231","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:24369","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:19752","vendor":"Red Hat"}]

Threat ID: 6a0d86fdba1db4736270ee50

Added to database: 05/20/2026, 10:03:41 UTC

Last enriched: 06/30/2026, 21:43:36 UTC

Last updated: 07/05/2026, 23:04:37 UTC

Views: 133

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses