CVE-2026-33278 Overview
CVE-2026-33278 is a use-after-free vulnerability [CWE-416] in the DNSSEC validator of NLnet Labs Unbound, a widely deployed recursive DNS resolver. The flaw affects versions 1.19.1 through 1.25.0 and stems from a struct-assignment bug introduced when the resolver deep-copies response messages during NSEC3 computational budget exhaustion. An attacker who controls a malicious signed zone can trigger Unbound to dereference a dangling pointer after the sub-query memory region is freed. Exploitation results in a crash and may enable arbitrary code execution within the Unbound process. NLnet Labs released 1.25.1 to address the issue.
Critical Impact
Remote, unauthenticated attackers controlling a signed DNS zone can crash Unbound resolvers or potentially execute arbitrary code, disrupting DNS resolution across dependent networks.
Affected Products
- NLnet Labs Unbound 1.19.1 through 1.25.0
- All operating system distributions packaging affected Unbound versions
- DNS recursive resolver deployments with DNSSEC validation enabled
Discovery Timeline
- 2026-05-20 - CVE-2026-33278 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-33278
Vulnerability Analysis
The vulnerability resides in Unbound's DNSSEC validator logic that handles suspended DS (Delegation Signer) sub-queries. Unbound 1.19.1 introduced an NSEC3 computational budget that limits CPU spent on hash iterations. When a DS sub-query exhausts this budget, the validator suspends processing and must preserve response messages across memory region teardown. To do so, Unbound performs a deep copy of the response data structure into a longer-lived region.
The deep copy routine contains a faulty struct assignment that overwrites the destination pointer with the source pointer rather than the freshly allocated copy. When the original sub-query region is subsequently freed, the destination retains a pointer into freed memory. Once the validator resumes, it dereferences this dangling pointer.
Root Cause
The root cause is incorrect pointer handling during deep-copy of response message structures. The bug falls under [CWE-416] Use After Free. The fix in Unbound 1.25.1 preserves the correct pointer to the newly allocated destination buffer, ensuring the resumed validator operates on valid memory.
Attack Vector
An attacker hosts a malicious DNSSEC-signed zone with NSEC3 parameters crafted to exhaust the computational budget during DS validation. The attacker then induces a target Unbound resolver to query a name within the malicious zone. Any client able to send recursive queries, or any cached upstream referral, suffices to trigger validation. When the budget is exhausted, the suspended sub-query path executes the flawed deep copy, freeing the source region and leaving the validator with a dangling pointer that is dereferenced on resume.
No authentication or user interaction is required. The attack is network-reachable wherever Unbound accepts queries that traverse the malicious zone. See the NLNetLabs CVE-2026-33278 Advisory for additional context.
Detection Methods for CVE-2026-33278
Indicators of Compromise
- Unexpected Unbound process crashes or restarts in syslog, journalctl, or unbound.log
- Repeated DNSSEC validation failures referencing NSEC3 budget exhaustion
- Queries from internal clients to unfamiliar DNSSEC-signed zones with abnormally high NSEC3 iteration counts
- Segmentation faults or SIGSEGV entries attributed to the unbound binary
Detection Strategies
- Inventory all Unbound instances and compare installed versions against the vulnerable range 1.19.1 to 1.25.0
- Monitor for repeated worker thread terminations and automatic service restarts indicative of memory corruption
- Inspect query logs for resolution attempts targeting zones with unusual NSEC3 parameters or excessive signed delegations
- Correlate DNS service outages with upstream query patterns to identify zones triggering validator suspension
Monitoring Recommendations
- Enable verbose Unbound logging with verbosity: 2 or higher to capture validator state transitions
- Forward Unbound process telemetry and crash dumps to a centralized logging platform for correlation
- Track DNSSEC validation error rates and alert on sudden spikes
- Monitor system-level signals such as coredump entries or systemd Result=signal events for the unbound unit
How to Mitigate CVE-2026-33278
Immediate Actions Required
- Upgrade all Unbound instances to version 1.25.1 or later without delay
- Identify any Unbound deployments running versions between 1.19.1 and 1.25.0 and prioritize them for patching
- Restrict recursive query access to trusted client networks using access-control directives
- Review DNSSEC validation logs for evidence of prior exploitation attempts
Patch Information
NLnet Labs released Unbound 1.25.1 containing the fix that preserves the correct destination pointer during deep copy of response message data structures. Operators should obtain patched packages from their Linux distribution or directly from NLnet Labs. Refer to the NLNetLabs CVE-2026-33278 Advisory for release notes and verification hashes.
Workarounds
- Limit recursion to known internal clients via access-control: <subnet> allow and deny all others
- Place Unbound behind a query-rate-limiting front end to slow exploitation attempts
- Where feasible and policy allows, temporarily disable DNSSEC validation by removing auto-trust-anchor-file until patching completes
- Run Unbound under a process supervisor configured to restart on crash, reducing outage duration while patching proceeds
# Verify installed Unbound version
unbound -V | head -n 1
# Example access-control hardening in unbound.conf
server:
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
harden-dnssec-stripped: yes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
