CVE-2026-44608: CWE-413: Improper Resource Locking in NLnet Labs Unbound
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
AI Analysis
Technical Summary
CVE-2026-44608 is a CWE-413 improper resource locking vulnerability in NLnet Labs Unbound DNS resolver versions 1.14.0 up to 1.25.0. The flaw occurs in multi-threaded environments when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers undergoes an XFR reload concurrently with another thread reading the same RPZ zone. Due to a locking inconsistency, the reader thread may access freed heap memory, causing a use-after-free condition and an eventual crash. Local RPZ files are not affected. The issue is resolved in Unbound 1.25.1 by patching the locking mechanism.
Potential Impact
An attacker can trigger a denial of service by causing Unbound to crash through a use-after-free condition when the specified RPZ XFR reload and multi-threaded conditions are met. There is no indication of privilege escalation or remote code execution. The CVSS 4.6 score reflects a medium severity impact primarily due to potential service disruption.
Mitigation Recommendations
Unbound 1.25.1 contains an official fix addressing this vulnerability. Users should upgrade to version 1.25.1 or later to remediate the issue. Until upgraded, avoid configurations that combine multi-threading with RPZ zones using 'rpz-nsip' or 'rpz-nsdname' triggers and RPZ XFR reloads simultaneously. Patch status is not explicitly stated beyond the availability of version 1.25.1 with the fix; verify with the vendor advisory for the latest remediation guidance.
CVE-2026-44608: CWE-413: Improper Resource Locking in NLnet Labs Unbound
Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44608 is a CWE-413 improper resource locking vulnerability in NLnet Labs Unbound DNS resolver versions 1.14.0 up to 1.25.0. The flaw occurs in multi-threaded environments when an RPZ zone with 'rpz-nsip' or 'rpz-nsdname' triggers undergoes an XFR reload concurrently with another thread reading the same RPZ zone. Due to a locking inconsistency, the reader thread may access freed heap memory, causing a use-after-free condition and an eventual crash. Local RPZ files are not affected. The issue is resolved in Unbound 1.25.1 by patching the locking mechanism.
Potential Impact
An attacker can trigger a denial of service by causing Unbound to crash through a use-after-free condition when the specified RPZ XFR reload and multi-threaded conditions are met. There is no indication of privilege escalation or remote code execution. The CVSS 4.6 score reflects a medium severity impact primarily due to potential service disruption.
Mitigation Recommendations
Unbound 1.25.1 contains an official fix addressing this vulnerability. Users should upgrade to version 1.25.1 or later to remediate the issue. Until upgraded, avoid configurations that combine multi-threading with RPZ zones using 'rpz-nsip' or 'rpz-nsdname' triggers and RPZ XFR reloads simultaneously. Patch status is not explicitly stated beyond the availability of version 1.25.1 with the fix; verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:07:51.822Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d8700ba1db4736270eeda
Added to database: 5/20/2026, 10:03:44 AM
Last enriched: 5/20/2026, 10:19:18 AM
Last updated: 5/21/2026, 3:21:54 PM
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.