The CVE number for this vulnerability is CVE-2025-11411.

Several multi-vendor cache poisoning vulnerabilities have been
discovered in caching resolvers for non-DNSSEC protected data.

Unbound is vulnerable for some of these cases that could lead to
domain hijacking.


== Summary
Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone.
Usually these RRSets are used to update the resolver's knowledge of the
zone's name servers.
If a malicious actor is able to attach such records in a reply (i.e.,
spoofed packet, fragmentation attack) he would be able to poison
Unbound's cache for the delegation point.

Unbound 1.24.1 includes a fix to mitigate the poison attempt.


== Affected products
Unbound up to and including version 1.24.0.


== Description
A malicious actor can exploit the possible poisonous effect by injecting
NS RRSets (and possibly their respective address records) in a reply.
This could be done for example by trying to spoof a packet or
fragmentation attacks.

Unbound would then proceed to update the NS RRSet data it already has
since the new data has enough trust for it, i.e., in-zone data for the
delegation point.

Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and
their respective address records) from replies mitigating the possible
poison effect.


== Mitigation

=== Downloading patched version
Unbound 1.24.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.24.1.tar.gz

=== Applying the patch manually
For Unbound 1.24.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_option_tests.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2025-11411_option_tests.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.24.0.

=== Applying a minimal patch manually
A minimal patch is also provided that can be used INSTEAD and applied the same
way:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411.diff

This patch only includes the needed code changes and not the relevant
option/test/documentation updates.
As such, it results in EXPECTED failures in the test suite due to the change
in behavior and the expected answers in those tests.

== Acknowledgments
We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin
Duan from Tsinghua University for discovering and responsibly disclosing
the vulnerability.