Unbound DNSSEC deep-copy bug (CVE-2026-33278), fixed 1.25.1
CVE-2026-33278 Published on May 20, 2026
Possible arbitrary code execution during DNSSEC validation
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables denial of service and possible remote code execution as a result of deep copying a data structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-copies response messages to preserve them across memory region teardown. A struct-assignment bug overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep copying the data structure.
Timeline
Issue reported by Qifan Zhang
NLnet Labs shares patch 14 days later.
Qifan Zhang verifies patch
Fixes released with version 1.25.1 21 days later.
Weakness Types
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2026-33278 has been classified to as a Dangling pointer vulnerability or weakness.
Operation on a Resource after Expiration or Release
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Products Associated with CVE-2026-33278
Want to know whenever a new CVE is published for Nlnetlabs Unbound? stack.watch will email you.
Affected Versions
NLnet Labs Unbound:- Version 1.19.1 and below 1.25.1 is affected.