The CVE number for this vulnerability is CVE-2026-33278.


== Summary
A vulnerability was found in Unbound's DNSSEC validator that enables denial of
service and possible remote code execution as a result of deep copying a data
structure and erroneously overwriting a destination pointer.

Unbound 1.25.1 includes a fix to preserve the correct pointer when deep copying
the data structure.


== Affected products
Unbound 1.19.1 up to and including version 1.25.0.


== Description
An adversary can exploit the vulnerability by controlling a malicious signed
zone and querying a vulnerable Unbound.
When DS sub-queries need to suspend validation due to NSEC3 computational
budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response
messages to preserve them across memory region teardown.
A struct-assignment bug overwrites the destination's pointer with the source's
pointer.
After the sub-query region is freed, the resumed validator dereferences this
dangling pointer, triggering a crash or potentially enabling arbitrary code
execution.

Unbound 1.25.1 includes a fix to preserve the correct pointer when deep copying
the data structure.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-33278_with.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-33278_with.diff
then run 'make install' to install Unbound.

A minimal patch that only addresses the vulnerability without further code
improvements is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-33278.diff
and can be used INSTEAD to make it easier for patching.

Both patches are tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.