Yang Luo

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions prior to 1.25.1 **Description** An issue exists where promiscuous RRSets (Resource Record Sets) that complement DNS replies in the authority section can be used to trick the system into caching unauthorized records. An adversary can poison the cache by attaching such records to a reply via spoofed packets or fragmentation attacks. Specifically, a malicious actor can inject RRSets other than NS (Name Server), such as MX (Mail Exchange), accompanied by address records in a reply. The system may then accept and cache relative address records from the additional section if the authority RRSet possesses sufficient trust, such as in-zone data for the delegation point. **Recommendations** Update to version 1.25.1.

**Name of the Vulnerable Software and Affected Versions** Recursor (affected versions not specified) **Description** Improperly crafted zones may cause increased resource consumption. Additionally, crafted CNAME chains can lead to cache poisoning within the Recursor. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NLnet Labs Unbound versions up to and including 1.24.0 **Description** Unbound is susceptible to domain hijack attacks through the manipulation of DNS responses. Specifically, maliciously crafted NS Resource Record Sets (RRSets) included in replies can cause the resolver to update its delegation information, potentially leading to a zone transfer. An attacker could exploit this by injecting NS RRSets, possibly through packet spoofing or fragmentation attacks, causing Unbound to update its existing NS RRSet data due to the perceived trustworthiness of the injected information. **Recommendations** Update to version 1.24.1 or later.

Name of the Vulnerable Software and Affected Versions: Vim versions 9.1.1231 through 9.1.1399 Description: Vim is a command line text editor. An error during evaluation when processing nested tuples in Vim script can trigger a use-after-free in Vim’s internal tuple reference management. The `tuple unref()` function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. Recommendations: Update to Vim version 9.1.1400 or later.

Name of the Vulnerable Software and Affected Versions: Vim versions 9.1.1231 through 9.1.1405 Description: Vim is a command line text editor. Versions from 9.1.1231 to before 9.1.1406 contain a flaw where processing nested tuples during Vim9 script import operations can trigger a double-free in Vim’s internal typed value (typval T) management. Specifically, the `clear tv()` function may attempt to free already deallocated memory due to improper lifetime handling in the `handle import` / `ex import` code paths. This issue is triggered when a user opens and executes a specially crafted Vim script. Recommendations: Update to Vim version 9.1.1406 or later.