CVE-2026-40622: Vulnerability in NLnet Labs Unbound
NLnet Labs Unbound versions 1. 16. 2 through 1. 25. 0 contain a vulnerability related to 'ghost domain names' attacks that can extend the caching window of certain DNS records by up to one configured TTL value. This occurs when Unbound overwrites an expired parent NS referral with a child apex NS record, effectively prolonging the ghost domain window. The vulnerability requires an attacker to control a ghost zone and query the vulnerable Unbound instance. In configurations with 'harden-referral-path: yes', the extension can occur without a client NS query. Unbound version 1. 25.
AI Analysis
Technical Summary
CVE-2026-40622 affects NLnet Labs Unbound DNS resolver versions 1.16.2 up to and including 1.25.0. The vulnerability belongs to the 'ghost domain names' family, where an attacker controlling a ghost zone can extend the ghost domain window by causing Unbound to overwrite cached expired parent NS referral records with child apex NS records. This extension can last up to one cached TTL value ('cache-max-ttl'). When 'harden-referral-path' is enabled, Unbound performs implicit queries that trigger this behavior without client interaction. The issue is fixed in Unbound 1.25.1 by disallowing TTL extension for parent NS records regardless of their trust level.
Potential Impact
An attacker controlling a ghost zone and able to query a vulnerable Unbound instance can extend the caching duration of certain DNS referral NS records, potentially affecting DNS resolution behavior for up to one additional TTL period. This could influence DNS cache poisoning or related DNS manipulation scenarios. The vulnerability does not require privileges or user interaction but does require control over a ghost zone and query access. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade Unbound to version 1.25.1 or later, which contains a patch preventing TTL extension for parent NS records. Since the vendor advisory indicates the fix is included in 1.25.1, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory. No alternative mitigations are indicated.
CVE-2026-40622: Vulnerability in NLnet Labs Unbound
Description
NLnet Labs Unbound versions 1. 16. 2 through 1. 25. 0 contain a vulnerability related to 'ghost domain names' attacks that can extend the caching window of certain DNS records by up to one configured TTL value. This occurs when Unbound overwrites an expired parent NS referral with a child apex NS record, effectively prolonging the ghost domain window. The vulnerability requires an attacker to control a ghost zone and query the vulnerable Unbound instance. In configurations with 'harden-referral-path: yes', the extension can occur without a client NS query. Unbound version 1. 25.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-40622 affects NLnet Labs Unbound DNS resolver versions 1.16.2 up to and including 1.25.0. The vulnerability belongs to the 'ghost domain names' family, where an attacker controlling a ghost zone can extend the ghost domain window by causing Unbound to overwrite cached expired parent NS referral records with child apex NS records. This extension can last up to one cached TTL value ('cache-max-ttl'). When 'harden-referral-path' is enabled, Unbound performs implicit queries that trigger this behavior without client interaction. The issue is fixed in Unbound 1.25.1 by disallowing TTL extension for parent NS records regardless of their trust level.
Potential Impact
An attacker controlling a ghost zone and able to query a vulnerable Unbound instance can extend the caching duration of certain DNS referral NS records, potentially affecting DNS resolution behavior for up to one additional TTL period. This could influence DNS cache poisoning or related DNS manipulation scenarios. The vulnerability does not require privileges or user interaction but does require control over a ghost zone and query access. No known exploits in the wild have been reported.
Mitigation Recommendations
Upgrade Unbound to version 1.25.1 or later, which contains a patch preventing TTL extension for parent NS records. Since the vendor advisory indicates the fix is included in 1.25.1, applying this official update is the recommended remediation. Patch status is confirmed by the vendor advisory. No alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:07:51.817Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d86fdba1db4736270ee56
Added to database: 5/20/2026, 10:03:41 AM
Last enriched: 5/20/2026, 10:20:03 AM
Last updated: 5/20/2026, 12:04:30 PM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.