CVE-2024-1931

Name of the Vulnerable Software and Affected Versions Unbound versions 1.18.0 through 1.19.1

Description The issue is related to a denial of service vulnerability caused by an infinite loop in the code. This occurs when Unbound tries to trim extra text fields from EDE records to fit within the client's advertised buffer size, but due to an unchecked condition, the code can loop indefinitely. This happens when Unbound replies with attached EDE information on a positive reply and the client's buffer size is smaller than needed. The vulnerability can only be triggered when the 'ede: yes' option is used, which is a non-default configuration.

Recommendations For Unbound versions 1.18.0 through 1.19.1, update to version 1.19.2 or later to fix the code and avoid looping indefinitely. As a temporary workaround, consider disabling the 'ede: yes' option until a patch is available.