The CVE number for this vulnerability is CVE-2026-40622.


== Summary
A vulnerability in the "ghost domain names" family of attacks was found in
Unbound that could extend the ghost domain window by up to one cached TTL
configured value.

Unbound 1.25.1 includes a fix that does not allow extension of TTLs for
(parent) NS records regardless of their trust.


== Affected products
Unbound 1.16.2 up to and including version 1.25.0.


== Description
Similar to other "ghost domain names" attacks, an adversary needs to control
a (ghost) zone and be able to query a vulnerable Unbound.
A single client NS query can cause Unbound to overwrite the cached expired
parent-side referral NS rrset with the child-side apex NS rrset and essentially
extend the ghost domain window by up to one cached TTL configured value
('cache-max-ttl').
In configurations where 'harden-referral-path: yes' is used
(non-default configuration), no client NS query is required since Unbound
implicitly performs that query.


Unbound 1.25.1 includes a fix that does not allow extension of TTLs for
(parent) NS records regardless of their trust.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-40622.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.