CVE-2024-1931 Overview
CVE-2024-1931 is an infinite loop vulnerability [CWE-835] in NLnet Labs Unbound, a widely deployed validating, recursive, and caching DNS resolver. The flaw affects versions 1.18.0 through 1.19.1 and can be triggered remotely over the network to cause denial of service. The defect resides in the code path that trims Extended DNS Error (EDE) record text fields when a response exceeds the client's advertised buffer size. Under specific conditions, the trimming loop fails to terminate, consuming CPU resources on the resolver. Exploitation requires the non-default ede: yes configuration option to be enabled.
Critical Impact
A remote, unauthenticated attacker can induce an infinite loop in Unbound resolvers configured with EDE responses enabled, exhausting CPU and disrupting DNS resolution for all downstream clients.
Affected Products
- NLnet Labs Unbound versions 1.18.0 through 1.19.1
- Fedora 38, 39, and 40
- FreeBSD and NetApp products bundling vulnerable Unbound builds
Discovery Timeline
- 2024-03-07 - CVE-2024-1931 published to NVD
- 2024-12-17 - Last updated in NVD database
Technical Details for CVE-2024-1931
Vulnerability Analysis
Unbound 1.18.0 introduced logic to strip Extended DNS Error (EDE) records from responses when the total response size exceeds the client's advertised UDP buffer size. Before discarding EDE records entirely, the resolver attempts to preserve EDE codes by trimming the optional EXTRA-TEXT field on each record. The vulnerability stems from an unchecked loop condition in this trimming routine. When Unbound generates a positive reply that carries attached EDE information, and the client's buffer is too small to fit the full record set, the trimming code can iterate without ever reaching a terminating state.
The defect is classified as a loop with unreachable exit condition [CWE-835]. A single crafted query that elicits an EDE-tagged positive response against an undersized buffer is sufficient to pin a worker thread at 100% CPU. Repeated queries can exhaust available worker threads and stall DNS resolution platform-wide.
Root Cause
The trimming function does not validate that each iteration reduces the response size or advances past a record. When the residual EXTRA-TEXT cannot be reduced further yet the size check still fails, control re-enters the loop indefinitely. The upstream fix in version 1.19.2 adds the missing termination guard. See the NLnet Labs CVE-2024-1931 Advisory for the maintainer's technical writeup.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends DNS queries with a small advertised EDNS0 UDP buffer size to a recursive resolver running a vulnerable Unbound build with ede: yes configured. When the response that Unbound prepares contains EDE annotations and would exceed the advertised buffer, the resolver enters the infinite loop. Because Unbound is typically exposed to large client populations or open recursive infrastructure, the blast radius extends to every dependent service relying on the affected resolver.
No verified public exploit code is available for CVE-2024-1931. The vulnerability mechanism is documented in the vendor advisory linked above.
Detection Methods for CVE-2024-1931
Indicators of Compromise
- Unbound worker threads pinned at sustained 100% CPU utilization without a corresponding spike in query throughput
- Growing query backlog and rising client-side DNS timeouts against an otherwise healthy resolver
- Inbound DNS traffic from a small set of source addresses repeatedly advertising unusually small EDNS0 UDP buffer sizes
Detection Strategies
- Inventory all Unbound deployments and flag any instance running 1.18.0 through 1.19.1 with ede: yes set in unbound.conf
- Correlate Unbound process CPU metrics with query rates to surface low-volume, high-CPU patterns characteristic of this DoS condition
- Inspect packet captures or DNS telemetry for queries advertising small EDNS0 buffer sizes paired with names known to generate EDE responses
Monitoring Recommendations
- Alert on Unbound num.queries stagnation while mem.total or per-thread CPU climbs, indicating stuck worker threads
- Track resolution latency (histogram.000000.000000.to.*) percentiles and trigger on sustained degradation
- Enable and centralize Unbound logging at verbosity: 2 or higher to capture EDE-related response handling for forensic review
How to Mitigate CVE-2024-1931
Immediate Actions Required
- Upgrade Unbound to version 1.19.2 or later, which contains the upstream fix that bounds the EDE trimming loop
- If immediate upgrade is not feasible, remove or set ede: no in unbound.conf to disable the vulnerable code path entirely
- Apply vendor-supplied packages from Fedora, FreeBSD, and NetApp advisories listed in the references for bundled distributions
Patch Information
NLnet Labs released Unbound 1.19.2 to address CVE-2024-1931. The fix adds the missing termination check so that the EDE EXTRA-TEXT trimming routine cannot loop indefinitely. Downstream packagers have published updates through the Fedora Package Announcement, FreeBSD Security Advisory, and NetApp Security Advisory.
Workarounds
- Disable Extended DNS Error responses by setting ede: no in the server configuration block until patching is complete
- Restrict resolver access to known client networks using access-control directives to reduce exposure to untrusted queries
- Place rate limiting in front of recursive resolvers to slow repeated abusive queries from individual source addresses
# Configuration example: disable EDE responses as a temporary mitigation
# /etc/unbound/unbound.conf
server:
ede: no
# Optional: restrict who can query the resolver
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
# Reload Unbound to apply changes
unbound-control reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
