CVE-2026-44608

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-44608
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44608.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-44608
Downstream
Related
Published
2026-05-20T10:16:28.313Z
Modified
2026-06-06T07:44:15.169866552Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

References

Affected packages

Git / github.com/nlnetlabs/unbound

Affected ranges

Type
GIT
Repo
https://github.com/nlnetlabs/unbound
Events
Introduced
919c8c9527281a7289415c00f8f2aed12b17a9aa
Fixed
75b6dba593d4fff000434cd64807c6ebd50bd244
Database specific 
{
    "cpe": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "1.14.0"
        },
        {
            "fixed": "1.25.1"
        }
    ]
}

Affected versions

release-1.*
release-1.14.0
release-1.14.0rc1
release-1.15.0
release-1.15.0rc1
release-1.16.0
release-1.16.0rc1
release-1.16.1
release-1.16.1rc1
release-1.16.2
release-1.18.0
release-1.18.0rc1
release-1.19.0
release-1.19.0rc1
release-1.19.3rc1
release-1.20.0
release-1.20.0rc1
release-1.21.0
release-1.21.0rc1
release-1.22.0
release-1.22.0rc1
release-1.23.0rc1
release-1.24.0
release-1.24.0rc1
release-1.25.0
release-1.25.0rc1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-44608.json"
vanir_signatures_modified 
"2026-05-31T03:35:38Z"
vanir_signatures 
[
    {
        "signature_type": "Function",
        "id": "CVE-2026-44608-7cb89fac",
        "source": "https://github.com/nlnetlabs/unbound/commit/75b6dba593d4fff000434cd64807c6ebd50bd244",
        "target": {
            "file": "services/rpz.c",
            "function": "rpz_callback_from_iterator_module"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "function_hash": "26148135886169857913239956572075736548",
            "length": 1502.0
        }
    },
    {
        "signature_type": "Line",
        "id": "CVE-2026-44608-a3b17d2e",
        "source": "https://github.com/nlnetlabs/unbound/commit/75b6dba593d4fff000434cd64807c6ebd50bd244",
        "target": {
            "file": "services/rpz.c"
        },
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "108481287081154918060659085654141150584",
                "73953166938600086918224773195867549742",
                "15251087855327528788980657535362970158",
                "48532896601082718174781974683716349061",
                "287248990686482337183326495344180868363",
                "112058947495561481565691171486557666856",
                "238258467286774268681997190612827183971",
                "126648031849056156900266153546629664662",
                "335401097143186200364020904286165936708",
                "336096779053276656395004922884987906159",
                "248876396313049466881138460638611830858",
                "293135123655960925553682804594622081358",
                "298612071867479354827766089224387452786",
                "217265304546593372824910550975155656654",
                "13292601781282786772501437491204364169",
                "281286782737850123600796590480125479595",
                "74511316679551775089931390035715335201",
                "161066344018382590627892027575409612852",
                "226343512543910522766563315515650712879"
            ]
        }
    }
]