2405706 – (CVE-2025-11411) CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records

Bug 2405706 (CVE-2025-11411) - CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records

Summary: CVE-2025-11411 unbound: Unbound domain hijacking via promiscuous records

Keywords:
Status:	NEW
Alias:	CVE-2025-11411
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2405929 2405930
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-22 13:01 UTC by OSIDB Bzimport
Modified:	2025-10-22 20:56 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-22 13:01:28 UTC

NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect.

Note You need to log in before you can comment on or make changes to this bug.