CVE-2026-33278: CWE-416: Use After Free in NLnet Labs Unbound
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
AI Analysis
Technical Summary
CVE-2026-33278 is a use-after-free vulnerability in NLnet Labs Unbound DNSSEC validator affecting versions 1.19.1 up to and including 1.25.0. The issue arises when Unbound deep-copies response messages to preserve them across memory region teardown during DS sub-queries suspended due to NSEC3 computational budget exhaustion. A struct-assignment bug overwrites the destination pointer with the source pointer, resulting in a dangling pointer after the sub-query memory region is freed. When the validator resumes, it dereferences this dangling pointer, causing a crash or potentially enabling arbitrary code execution. The vulnerability has a CVSS 4.0 score of 9.1 (critical). Unbound 1.25.1 contains a fix that corrects the pointer handling during deep copying.
Potential Impact
The vulnerability can be exploited remotely without authentication by an adversary controlling a malicious signed DNS zone. It can cause denial of service by crashing the Unbound DNS resolver and may lead to remote code execution due to use-after-free memory corruption. This poses a critical risk to systems running vulnerable Unbound versions, potentially impacting DNS resolution reliability and security.
Mitigation Recommendations
A patch fixing this vulnerability is available in Unbound version 1.25.1. Users should upgrade to version 1.25.1 or later to remediate this issue. Red Hat has issued security advisories and updates for affected Red Hat Enterprise Linux 10 packages that include this fix. Applying these official updates is the recommended remediation. Patch status is confirmed by vendor advisories linked in the references.
CVE-2026-33278: CWE-416: Use After Free in NLnet Labs Unbound
Description
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
CVSS v4.0
Score 9.1critical
Affected software
pkg:github/nlnetlabs/unboundRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33278 is a use-after-free vulnerability in NLnet Labs Unbound DNSSEC validator affecting versions 1.19.1 up to and including 1.25.0. The issue arises when Unbound deep-copies response messages to preserve them across memory region teardown during DS sub-queries suspended due to NSEC3 computational budget exhaustion. A struct-assignment bug overwrites the destination pointer with the source pointer, resulting in a dangling pointer after the sub-query memory region is freed. When the validator resumes, it dereferences this dangling pointer, causing a crash or potentially enabling arbitrary code execution. The vulnerability has a CVSS 4.0 score of 9.1 (critical). Unbound 1.25.1 contains a fix that corrects the pointer handling during deep copying.
Potential Impact
The vulnerability can be exploited remotely without authentication by an adversary controlling a malicious signed DNS zone. It can cause denial of service by crashing the Unbound DNS resolver and may lead to remote code execution due to use-after-free memory corruption. This poses a critical risk to systems running vulnerable Unbound versions, potentially impacting DNS resolution reliability and security.
Mitigation Recommendations
A patch fixing this vulnerability is available in Unbound version 1.25.1. Users should upgrade to version 1.25.1 or later to remediate this issue. Red Hat has issued security advisories and updates for affected Red Hat Enterprise Linux 10 packages that include this fix. Applying these official updates is the recommended remediation. Patch status is confirmed by vendor advisories linked in the references.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:07:51.853Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-33278","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:23231","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:24369","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2026:19752","vendor":"Red Hat"}]
Threat ID: 6a0d86fdba1db4736270ee50
Added to database: 05/20/2026, 10:03:41 UTC
Last enriched: 06/30/2026, 21:43:36 UTC
Last updated: 07/05/2026, 23:04:37 UTC
Views: 133
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.