CVE-2026-44390 Overview
CVE-2026-44390 is a denial of service vulnerability in NLnet Labs Unbound, an open-source validating, recursive, and caching DNS resolver. The flaw affects Unbound versions up to and including 1.25.0 and stems from how the resolver applies name compression to downstream replies containing very large RRsets. When records in a malicious zone do not share any suffix above the root, Unbound enters a code path that bypasses the existing compression counter limit. This allows an attacker to lock CPU resources during reply processing. The vulnerability is a complementary fix to CVE-2024-8508 and is tracked under CWE-407: Inefficient Algorithmic Complexity.
Critical Impact
Remote attackers can degrade Unbound resolver performance and trigger denial of service conditions by querying specially crafted malicious zones with very large RRsets, exhausting CPU resources on the resolver.
Affected Products
- NLnet Labs Unbound versions up to and including 1.25.0
- Recursive DNS resolver deployments running affected Unbound versions
- Systems relying on Unbound for DNS resolution of arbitrary upstream zones
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-44390 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-44390
Vulnerability Analysis
The vulnerability resides in Unbound's DNS name compression logic, which the resolver applies before transmitting downstream replies. Name compression reduces packet size by referencing previously seen domain suffixes within the same DNS message. When Unbound processes very large RRsets, it must perform compression lookups across every record in the response.
NLnet Labs introduced a compression limit in Unbound 1.21.1 as part of the CVE-2024-8508 remediation. That fix capped the number of compression operations performed during reply construction. However, the counter increment was tied to successful compression tree lookups. Records that do not share any suffix above the root trigger compression tree lookup failures, which route execution through a different code path that omits the counter increment.
This bypass restores the unbounded behavior the original patch was meant to prevent. An attacker delivering large RRsets with no shared suffix can force Unbound to spend prolonged CPU time on compression operations per query.
Root Cause
The root cause is incomplete enforcement of the compression operation counter introduced in version 1.21.1. The counter only increments on successful compression tree lookups. Records lacking a shared suffix above the root cause lookup failures and skip the counter, leaving the compression operation effectively unbounded.
Attack Vector
An adversary hosts a malicious authoritative zone containing very large RRsets whose records share no common suffix above the root. The attacker then issues queries to a target Unbound resolver that cause it to fetch and process these RRsets from the malicious upstream. Unbound applies name compression to the response before forwarding it downstream, consuming CPU until the operation completes. Repeated or concurrent queries can sustain CPU exhaustion and degrade or deny service to legitimate clients. The attack requires no authentication and is conducted over the network.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the NLnet Labs CVE-2026-44390 advisory for vendor technical details.
Detection Methods for CVE-2026-44390
Indicators of Compromise
- Sustained high CPU utilization on Unbound resolver processes without a corresponding increase in legitimate query volume.
- Outbound DNS resolution traffic to unusual authoritative servers hosting zones with abnormally large RRsets.
- Delayed or timed-out responses to downstream DNS clients during periods of normal request load.
- DNS response packets containing RRsets with hundreds or thousands of records lacking a shared parent suffix.
Detection Strategies
- Monitor Unbound process CPU usage and correlate spikes with the originating client query and upstream zone being resolved.
- Inspect outbound DNS responses for RRset sizes that exceed organizational baselines for typical zones.
- Enable Unbound query logging and review queries that consistently trigger long response times.
- Track the version string of deployed Unbound instances and flag any running 1.25.0 or earlier.
Monitoring Recommendations
- Instrument resolver hosts to alert when DNS response generation latency exceeds defined thresholds.
- Forward Unbound statistics counters (num.query, time.up, CPU time per query) to a centralized monitoring system.
- Correlate resolver CPU saturation with the client IPs initiating the triggering queries for upstream isolation.
How to Mitigate CVE-2026-44390
Immediate Actions Required
- Upgrade all Unbound instances to version 1.25.1 or later, which contains the patch that increments the compression counter regardless of compression tree lookup outcome.
- Inventory infrastructure for Unbound deployments, including embedded resolvers in appliances and container images.
- Restrict resolver access to authorized client networks where feasible to limit attacker-driven query injection.
Patch Information
NLnet Labs released Unbound 1.25.1 containing the complete fix. The patch ensures the compression operation counter increments on every compression attempt, closing the bypass path that occurs when records share no suffix above the root. See the NLnet Labs CVE-2026-44390 advisory for upgrade guidance.
Workarounds
- Configure Unbound with strict response size limits and rate limiting per client to reduce amplification potential while patching is scheduled.
- Apply egress filtering or DNS policy controls to block resolution of known malicious authoritative servers.
- Place resolvers behind monitoring that can throttle or terminate sessions producing sustained CPU saturation.
# Verify the running Unbound version and upgrade
unbound -V | head -n 1
# Example package upgrade on Debian/Ubuntu after repository update
sudo apt-get update && sudo apt-get install --only-upgrade unbound
# Restart the resolver and confirm version 1.25.1 or later
sudo systemctl restart unbound
unbound-control status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
