The CVE number for this vulnerability is CVE-2026-44608.


== Summary
A locking inconsistency vulnerability was found in Unbound that when certain
conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with
'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free
and eventual crash.

Unbound 1.25.1 includes a fix to the locking code.


== Affected products
Unbound 1.14.0 up to and including version 1.25.0.


== Description
An adversary can exploit the vulnerability if conditions are first met on a
vulnerable Unbound, i.e., multi-threaded, an RPZ zone with
'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone.
Local RPZ files do not trigger the vulnerability.

If the timing is right and an XFR happens at the same time another thread needs
to read that RPZ zone, the reader may not hold the lock long enough and the
thread applying the XFR may free objects that the reader is about to walk
causing the use-after-free.

Unbound 1.25.1 includes a fix to the locking code.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44608.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-44608.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.