Red Hat Security Advisory: unbound security update
Multiple security vulnerabilities have been identified in the unbound DNS resolver packages used in Red Hat Enterprise Linux 10 and related products. These include a heap overflow and crash triggered by specific EDNS options (CVE-2026-42944), a denial of service via an incorrect write offset counter in chase-reply messages (CVE-2026-42959), and a use-after-free vulnerability in the DNSSEC validator that can lead to denial of service and potentially remote code execution (CVE-2026-33278). Red Hat has issued an important security advisory with updates to address these issues. The vulnerabilities affect various architectures including x86_64, s390x, ppc64le, and aarch64. No known exploits in the wild have been reported at this time. A security update is available and should be applied to mitigate these vulnerabilities.
AI Analysis
Technical Summary
The unbound DNS resolver packages in Red Hat Enterprise Linux 10 contain three notable security flaws: (1) a heap overflow and crash caused by handling multiple NSID, cookie, and padding EDNS options (CVE-2026-42944), (2) a denial of service vulnerability in the DNSSEC validator due to an incorrect write offset counter in chase-reply messages (CVE-2026-42959), and (3) a use-after-free vulnerability in the DNSSEC validator related to deep copy pointer overwrite, which can lead to denial of service and possible remote code execution (CVE-2026-33278). These issues are addressed in the updated unbound packages provided by Red Hat. The advisory covers multiple architectures and product variants. The update is classified as important by Red Hat Product Security.
Potential Impact
Successful exploitation of these vulnerabilities could cause unbound to crash (denial of service) or, in the case of CVE-2026-33278, potentially allow remote code execution. This impacts the availability and integrity of DNS resolution services on affected systems. No known active exploits have been reported, but the presence of a use-after-free vulnerability with possible remote code execution elevates the risk.
Mitigation Recommendations
Red Hat has released updated unbound packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 10 and related products should apply the security update as described in the Red Hat advisory RHSA-2026:23231. Detailed update instructions are available at https://access.redhat.com/articles/11258. Since this is an on-premises product, remediation requires applying the vendor-provided patches. There are no indications that no action is required or that the issue is already mitigated without patching.
Red Hat Security Advisory: unbound security update
Description
Multiple security vulnerabilities have been identified in the unbound DNS resolver packages used in Red Hat Enterprise Linux 10 and related products. These include a heap overflow and crash triggered by specific EDNS options (CVE-2026-42944), a denial of service via an incorrect write offset counter in chase-reply messages (CVE-2026-42959), and a use-after-free vulnerability in the DNSSEC validator that can lead to denial of service and potentially remote code execution (CVE-2026-33278). Red Hat has issued an important security advisory with updates to address these issues. The vulnerabilities affect various architectures including x86_64, s390x, ppc64le, and aarch64. No known exploits in the wild have been reported at this time. A security update is available and should be applied to mitigate these vulnerabilities.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The unbound DNS resolver packages in Red Hat Enterprise Linux 10 contain three notable security flaws: (1) a heap overflow and crash caused by handling multiple NSID, cookie, and padding EDNS options (CVE-2026-42944), (2) a denial of service vulnerability in the DNSSEC validator due to an incorrect write offset counter in chase-reply messages (CVE-2026-42959), and (3) a use-after-free vulnerability in the DNSSEC validator related to deep copy pointer overwrite, which can lead to denial of service and possible remote code execution (CVE-2026-33278). These issues are addressed in the updated unbound packages provided by Red Hat. The advisory covers multiple architectures and product variants. The update is classified as important by Red Hat Product Security.
Potential Impact
Successful exploitation of these vulnerabilities could cause unbound to crash (denial of service) or, in the case of CVE-2026-33278, potentially allow remote code execution. This impacts the availability and integrity of DNS resolution services on affected systems. No known active exploits have been reported, but the presence of a use-after-free vulnerability with possible remote code execution elevates the risk.
Mitigation Recommendations
Red Hat has released updated unbound packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 10 and related products should apply the security update as described in the Red Hat advisory RHSA-2026:23231. Detailed update instructions are available at https://access.redhat.com/articles/11258. Since this is an on-premises product, remediation requires applying the vendor-provided patches. There are no indications that no action is required or that the issue is already mitigated without patching.
Technical Details
- Gcve Source
- db.gcve.eu
- Csaf Category
- csaf_security_advisory
- Csaf Version
- 2.0
- Publisher
- Red Hat Product Security
- Advisory Id
- RHSA-2026:23231
- Cve Count
- 3
- Additional Cves
- ["CVE-2026-42944","CVE-2026-42959"]
- Cvss Version
- null
Threat ID: 6a21eb19e29bf47b50d2564c
Added to database: 6/4/2026, 9:16:09 PM
Last enriched: 6/4/2026, 9:18:29 PM
Last updated: 6/5/2026, 2:30:42 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.