Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.
This issue has been classified as having low security impact because:
- per default, unbound is not configured to listen on a public interface
- per default, the ACL is limited to localhost, so even if listening to a public interface, the crash cannot happen per default
It mostly affects people running unbound as a "public" DNS resolver. Using such configurations, unbound has no valuable secrets that could be obtained by a successful attack, so at best the server crashes and restarts, resulting in an empty DNS cache. Sustained sending of packets would result in a DoS though.