CVE-2026-33278

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions 1.19.1 through 1.25.0

Description A flaw in the DNSSEC validator allows for denial of service and potential remote code execution. The issue occurs during the deep copying of a data structure when DS sub-queries suspend validation due to NSEC3 computational budget exhaustion. A struct-assignment bug causes the destination pointer to be overwritten by the source pointer. When the sub-query region is subsequently freed, the resumed validator dereferences this dangling pointer, which can lead to a system crash or arbitrary code execution. An attacker can trigger this by controlling a malicious signed zone and querying the affected system.

Recommendations Update to version 1.25.1.