An update for unbound is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-2522 Final 1.0 1.0 2026-05-29 Initial 2026-05-29 2026-05-29 openEuler SA Tool V1.0 2026-05-29 unbound security update An update for unbound is now available for openEuler-24.03-LTS-SP1 Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. To help increase online privacy, Unbound supports DNS-over-TLS which allows clients to encrypt their communication. Unbound is available for most platforms such as FreeBSD, OpenBSD, NetBSD, MacOS, Linux and Microsoft Windows. Unbound is a totally free, open source software under the BSD license. It doesn't make custom builds or provide specific features to paying customers only. Security Fix(es): NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.(CVE-2026-33278) NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).(CVE-2026-41292) NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.(CVE-2026-42944) NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.(CVE-2026-42959) NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.(CVE-2026-42960) An update for unbound is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical unbound https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2522 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-33278 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-41292 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-42944 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-42959 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-42960 https://nvd.nist.gov/vuln/detail/CVE-2026-33278 https://nvd.nist.gov/vuln/detail/CVE-2026-41292 https://nvd.nist.gov/vuln/detail/CVE-2026-42944 https://nvd.nist.gov/vuln/detail/CVE-2026-42959 https://nvd.nist.gov/vuln/detail/CVE-2026-42960 openEuler-24.03-LTS-SP1 python3-unbound-1.17.1-16.oe2403sp1.aarch64.rpm unbound-1.17.1-16.oe2403sp1.aarch64.rpm unbound-anchor-1.17.1-16.oe2403sp1.aarch64.rpm unbound-debuginfo-1.17.1-16.oe2403sp1.aarch64.rpm unbound-debugsource-1.17.1-16.oe2403sp1.aarch64.rpm unbound-devel-1.17.1-16.oe2403sp1.aarch64.rpm unbound-help-1.17.1-16.oe2403sp1.aarch64.rpm unbound-libs-1.17.1-16.oe2403sp1.aarch64.rpm unbound-utils-1.17.1-16.oe2403sp1.aarch64.rpm python3-unbound-1.17.1-16.oe2403sp1.x86_64.rpm unbound-1.17.1-16.oe2403sp1.x86_64.rpm unbound-anchor-1.17.1-16.oe2403sp1.x86_64.rpm unbound-debuginfo-1.17.1-16.oe2403sp1.x86_64.rpm unbound-debugsource-1.17.1-16.oe2403sp1.x86_64.rpm unbound-devel-1.17.1-16.oe2403sp1.x86_64.rpm unbound-help-1.17.1-16.oe2403sp1.x86_64.rpm unbound-libs-1.17.1-16.oe2403sp1.x86_64.rpm unbound-utils-1.17.1-16.oe2403sp1.x86_64.rpm unbound-1.17.1-16.oe2403sp1.src.rpm NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure. 2026-05-29 CVE-2026-33278 openEuler-24.03-LTS-SP1 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H unbound security update 2026-05-29 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2522 NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100). 2026-05-29 CVE-2026-41292 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H unbound security update 2026-05-29 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2522 NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation. 2026-05-29 CVE-2026-42944 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H unbound security update 2026-05-29 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2522 NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets. 2026-05-29 CVE-2026-42959 openEuler-24.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H unbound security update 2026-05-29 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2522 NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411. 2026-05-29 CVE-2026-42960 openEuler-24.03-LTS-SP1 Critical 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H unbound security update 2026-05-29 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2522