2480126 – (CVE-2026-44608) CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload

Bug 2480126 (CVE-2026-44608) - CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsistency during RPZ XFR reload

Summary: CVE-2026-44608 unbound: Unbound: Denial of Service due to locking inconsisten...

Keywords:
Status:	NEW
Alias:	CVE-2026-44608
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2480383
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-20 10:01 UTC by OSIDB Bzimport
Modified:	2026-05-21 08:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-20 10:01:20 UTC

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

Note You need to log in before you can comment on or make changes to this bug.