CVE-2024-8508

Name of the Vulnerable Software and Affected Versions: NLnet Labs Unbound versions 1.21.0 and earlier

Description: The issue arises when handling replies with very large RRsets that require name compression. Malicious upstream responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies, leading to degraded performance and potentially denial of service in well-orchestrated attacks. A malicious actor can exploit this by querying Unbound for specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query, it attempts to apply name compression, which was previously an unbounded operation that could lock the CPU until the whole packet was complete.

Recommendations: For NLnet Labs Unbound versions 1.21.0 and earlier, update to version 1.21.1 or later, which introduces a hard limit on the number of name compression calculations it is willing to do per packet, preventing the CPU from being locked for long periods.