CVE-2026-44608 Overview
CVE-2026-44608 is a locking inconsistency vulnerability in NLnet Labs Unbound, a widely deployed validating, recursive, and caching DNS resolver. The flaw affects versions 1.14.0 through 1.25.0 and can produce a heap use-after-free condition when specific runtime conditions converge. Exploitation requires Unbound to run in multi-threaded mode with a Response Policy Zone (RPZ) configured for rpz-nsip or rpz-nsdname triggers, plus an in-progress zone transfer (XFR) for that RPZ zone. The race between an XFR reload and a concurrent reader can crash the resolver, disrupting DNS resolution for downstream clients. The issue is categorized under [CWE-413] (Improper Resource Locking).
Critical Impact
A timing-dependent race between RPZ XFR reload and reader threads can free objects mid-walk, causing a heap use-after-free and resolver crash that interrupts DNS service.
Affected Products
- NLnet Labs Unbound 1.14.0 through 1.25.0
- Deployments running Unbound in multi-threaded configuration
- Resolvers using RPZ zones with rpz-nsip or rpz-nsdname triggers fed via XFR
Discovery Timeline
- 2026-05-20 - CVE-2026-44608 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-44608
Vulnerability Analysis
The vulnerability resides in Unbound's RPZ subsystem, which applies DNS filtering policy based on triggers such as rpz-nsip (name server IP) and rpz-nsdname (name server domain name). When Unbound runs multi-threaded, multiple worker threads access shared RPZ data structures. A reader thread acquires a lock to traverse RPZ objects but releases that lock before completing the walk. Concurrently, another thread applying an incoming XFR can free those same objects. The reader then dereferences freed heap memory, producing undefined behavior and an eventual crash.
Local RPZ files loaded from disk do not exercise the vulnerable code path. The condition requires zone data delivered through XFR, which is the standard mechanism for distributing RPZ feeds from threat intelligence providers.
Root Cause
The root cause is improper lock scope in the RPZ reload path. The reader does not hold the lock for the full duration of its traversal across rpz-nsip and rpz-nsdname trigger structures. The XFR-applying thread assumes exclusive access once it acquires its own lock and proceeds to free policy objects that remain reachable by the reader.
Attack Vector
An adversary cannot directly trigger the conditions remotely without insider access to the RPZ feed or precise control over XFR timing. The vulnerable window opens when an XFR for an RPZ zone with rpz-nsip or rpz-nsdname triggers arrives while another thread is reading that same zone. Exploitation requires the attacker to align a malicious or routine query with the XFR reload moment to provoke the use-after-free. The CVSS 4.0 vector identifies network attack vector with high attack complexity and high availability impact, reflecting the narrow timing window. The EPSS score is 0.038% at the 11.408 percentile, indicating low observed exploitation probability.
No verified exploit code is publicly available. Refer to the NLnet Labs CVE-2026-44608 Report for vendor technical details.
Detection Methods for CVE-2026-44608
Indicators of Compromise
- Unexpected Unbound process crashes or restarts coinciding with RPZ XFR events
- Core dumps showing heap corruption in RPZ trigger traversal functions
- Gaps in DNS resolution availability matching RPZ feed update windows
Detection Strategies
- Audit Unbound configuration for num-threads > 1 combined with RPZ zones using rpz-nsip or rpz-nsdname triggers sourced via XFR
- Correlate resolver crash events with auth-zone or RPZ master notifications in operational logs
- Inventory Unbound binaries across infrastructure and flag versions between 1.14.0 and 1.25.0
Monitoring Recommendations
- Monitor Unbound systemd unit restart counters and DNS query failure rates
- Enable Unbound verbosity to capture RPZ XFR start and completion timestamps for incident correlation
- Track resolver availability metrics through external probes to detect transient outages tied to zone reloads
How to Mitigate CVE-2026-44608
Immediate Actions Required
- Upgrade affected installations to Unbound 1.25.1 or later, which contains the corrected locking logic
- Identify all Unbound resolvers running multi-threaded with RPZ-over-XFR configurations and prioritize patching
- Coordinate maintenance windows with RPZ feed providers to minimize XFR activity during upgrade
Patch Information
NLnet Labs released Unbound 1.25.1 with a fix to the RPZ locking code. The patch ensures reader threads hold the appropriate lock for the full duration of RPZ trigger traversal, preventing the XFR thread from freeing objects still in use. Patch details and source links are available in the NLnet Labs CVE-2026-44608 Report.
Workarounds
- Run Unbound single-threaded by setting num-threads: 1 until the upgrade is applied
- Replace RPZ XFR delivery with local RPZ files, which do not trigger the vulnerable code path
- Remove rpz-nsip and rpz-nsdname triggers from RPZ zones served via XFR if those policy types are not required
# Configuration example: temporary single-threaded mitigation in unbound.conf
server:
num-threads: 1
# Optional: switch RPZ delivery to a local file until patched
rpz:
name: "rpz.example."
zonefile: "/etc/unbound/rpz.example.zone"
# Remove or comment out url:/master: directives that drive XFR delivery
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
