The CVE number for this vulnerability is CVE-2026-44390.

This complements previous fixes for CVE-2024-8508.


== Summary
A vulnerability has been discovered in Unbound when handling replies
with very large RRsets that Unbound needs to perform name compression
for.

Malicious upstreams responses with very large RRsets with records that don't
share a suffix above the root can cause Unbound to spend a considerable time
applying name compression to downstream replies.
This can lead to degraded performance and eventually denial of service in well
orchestrated attacks.


== Affected products
Unbound up to and including version 1.25.0.


== Description
An adversary can exploit the vulnerability by querying Unbound
for the specially crafted contents of a malicious zone with very large
RRsets.
Before Unbound replies to the query it will try to apply name
compression which was an unbounded operation that could lock the CPU
until the whole packet was complete.

A compression limit was introduced in 1.21.1 for this but it didn't
account for the case where records would not share any suffix above the root.
That causes Unbound to go in a different code path because of the compression
tree lookup failure and eventually not increment the compression counter for
those operations.

Unbound version 1.25.1 includes a fix that increments the compression counter
regardless of the compression tree lookup.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-44390.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.