CVE-2026-33278

Published May 20, 2026

Last updated 10 days ago

CVSS critical 9.1
Ubuntu

Overview

Description
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Source
sep@nlnetlabs.nl
NVD status
Analyzed
Products
unbound

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.1
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

sep@nlnetlabs.nl
CWE-416

Social media

Hype score
Not currently trending

  1. Release 2026-05c is here! https://t.co/pprfCZtu6Q This update fixes CVE-2026-33278 in unbound and bumps Nginx to version 1.30.2. We strongly recommend updating to this version.

    @mailcow_email

    26 May 2026

    467 Impressions

    0 Retweets

    11 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Warning: #NLnet Labs has addressed multiple vulnerabilities, #CVE-2026-33278; #CVE-2026-42944; #CVE-2026-42959. Successful exploitation could enable to denial of service #DoS, and potentially remote code execution #RCE! #Patch #Patch #Patch

    @CCBalert

    21 May 2026

    144 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🔐 NLnet Labs released Unbound 1.25.1 with fixes for 11 CVEs — including a use-after-free in the DNSSEC validator (CVE-2026-33278) that could lead to remote code execution, and a cache poisoning flaw (CVE-2026-42960). 🔗 https://t.co/UaH94aLG8Q #CyberSecurity #ThreatIntel

    @ThreatAft

    21 May 2026

    56 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Top 5 Trending CVEs: 1 - CVE-2026-42945 2 - CVE-2026-46333 3 - CVE-2026-0265 4 - CVE-2020-2033 5 - CVE-2026-33278 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    21 May 2026

    145 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  5. BREAKING: Ubuntu fixes 5 Unbound flaws including CVE-2026-32792 and CVE-2026-33278 affecting 22.04, 24.04, 25.10, 26.04 LTS with DoS and RCE risk, urges immediate updates. https://t.co/YG4fcAvfhs

    @threatcluster

    20 May 2026

    77 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 【自分用メモ】CVE-2026-33278。UnboundのRCE脆弱性。CVSSスコア9.1。エグい。 https://t.co/JDWh34CDyH CVE Record: CVE-2026-33278 https://t.co/Jj6kKshdSn

    @OrangeMorishita

    20 May 2026

    1820 Impressions

    9 Retweets

    16 Likes

    6 Bookmarks

    0 Replies

    1 Quote

  7. Unbound 1.25.1 fixes 11 CVEs https://t.co/ifcflXyhiP CVE-2026-33278: Remote code execution during DNSSEC validation CVE-2026-42944: Heap overflow and crash with multiple nsid, cookie, padding EDNS options CVE-2026-42959: Crash during DNSSEC validation of malicious content +8 more

    @oss_security

    20 May 2026

    1604 Impressions

    6 Retweets

    17 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Rsync versions before 3.4.3 contain a time-of-check to time-of-use (TOCTOU) race condition in daemon file handling that allows attackers to redirect file writes outside intended directories by replacing parent directory components with symbolic links. Attackers with write access to a module path can exploit this race condition to create or overwrite arbitrary files, potentially modifying sensitive system files and achieving privilege escalation when the daemon runs with elevated privileges. This vulnerability can only be triggered if the chroot setting is false.CVE-2026-29518
  2. NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.CVE-2026-44608
  3. NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability when handling replies with very large RRsets that Unbound needs to perform name compression for. Malicious upstream responses with very large RRsets with records that don't share a suffix above the root can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. An adversary can exploit the vulnerability by querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. A compression limit was introduced in 1.21.1 for this but it didn't account for the case where records would not share any suffix above the root. That causes Unbound to go in a different code path because of the compression tree lookup failure and eventually not increment the compression counter for those operations. Unbound 1.25.1 contains a patch with a fix that increments the compression counter regardless of the compression tree lookup. This is a complement fix to CVE-2024-8508.CVE-2026-44390
  4. NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.CVE-2026-42960
  5. NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).CVE-2026-41292

References

Sources include official advisories and independent security research.