CVE-2026-44390: CWE-407: Inefficient Algorithmic Complexity in NLnet Labs Unbound
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
AI Analysis
Technical Summary
CVE-2026-44390 is an algorithmic complexity vulnerability in NLnet Labs Unbound DNS resolver up to version 1.25.0. The vulnerability arises when Unbound processes DNS replies containing very large RRsets that require name compression. If the RRsets contain records without shared suffixes above the DNS root, Unbound's name compression logic enters an unbounded operation path, causing excessive CPU consumption and potential denial of service. Although a compression limit was introduced in version 1.21.1, it failed to handle this specific case, allowing the compression counter to not increment and the CPU to lock up. The issue is fixed in version 1.25.1 by ensuring the compression counter increments regardless of compression tree lookup results, preventing unbounded CPU usage.
Potential Impact
An attacker can exploit this vulnerability by sending specially crafted DNS responses with large RRsets to an Unbound resolver, causing it to spend excessive CPU resources applying name compression. This can degrade resolver performance and potentially cause denial of service by locking the CPU. The vulnerability affects availability but does not involve privilege escalation, data confidentiality, or integrity compromise. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is included in Unbound version 1.25.1, which properly increments the compression counter to prevent unbounded CPU usage during name compression. Users should upgrade to version 1.25.1 or later to remediate this issue. Patch status is not explicitly confirmed in the advisory, but the description indicates the fix is present in 1.25.1. No additional mitigations are specified.
CVE-2026-44390: CWE-407: Inefficient Algorithmic Complexity in NLnet Labs Unbound
Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44390 is an algorithmic complexity vulnerability in NLnet Labs Unbound DNS resolver up to version 1.25.0. The vulnerability arises when Unbound processes DNS replies containing very large RRsets that require name compression. If the RRsets contain records without shared suffixes above the DNS root, Unbound's name compression logic enters an unbounded operation path, causing excessive CPU consumption and potential denial of service. Although a compression limit was introduced in version 1.21.1, it failed to handle this specific case, allowing the compression counter to not increment and the CPU to lock up. The issue is fixed in version 1.25.1 by ensuring the compression counter increments regardless of compression tree lookup results, preventing unbounded CPU usage.
Potential Impact
An attacker can exploit this vulnerability by sending specially crafted DNS responses with large RRsets to an Unbound resolver, causing it to spend excessive CPU resources applying name compression. This can degrade resolver performance and potentially cause denial of service by locking the CPU. The vulnerability affects availability but does not involve privilege escalation, data confidentiality, or integrity compromise. There are no known exploits in the wild at this time.
Mitigation Recommendations
A fix for this vulnerability is included in Unbound version 1.25.1, which properly increments the compression counter to prevent unbounded CPU usage during name compression. Users should upgrade to version 1.25.1 or later to remediate this issue. Patch status is not explicitly confirmed in the advisory, but the description indicates the fix is present in 1.25.1. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:07:51.828Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d8700ba1db4736270eed7
Added to database: 5/20/2026, 10:03:44 AM
Last enriched: 5/20/2026, 10:19:27 AM
Last updated: 5/20/2026, 9:03:09 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.