Christopher Olah

**Name of the Vulnerable Software and Affected Versions** Unbound versions prior to 1.4.13p2 **Description** The issue allows remote DNS servers to cause a denial of service, resulting in a daemon crash, by sending a crafted response with duplicate CNAME records in a signed zone. This occurs due to an attempt to free unallocated memory during the processing of such records. **Recommendations** For versions prior to 1.4.13p2, update to version 1.4.13p2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Unbound versions prior to 1.4.13p2 **Description** The issue is related to improper proof processing for NSEC3-signed zones in the validator/val nsec3.c component. This can be exploited by remote DNS servers sending a malformed response that lacks expected NSEC3 records, leading to a denial of service (daemon crash). **Recommendations** For versions prior to 1.4.13p2, update to version 1.4.13p2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Unbound versions 1.x through 1.4.9 **Description** The issue allows remote attackers to cause a denial of service via a crafted DNS request, triggering improper error handling and resulting in an assertion failure and daemon exit. This occurs when debugging functionality and the interface-automatic option are enabled. **Recommendations** For Unbound versions 1.x through 1.4.9, update to version 1.4.10 or later to resolve the issue. As a temporary workaround, consider disabling the debugging functionality and interface-automatic option until a patch is available.