Hi there, (The official announcement can be found at: https://nlnetlabs.nl/news/2026/May/20/unbound-1.25.1-released/)
Several vulnerabilities were found in Unbound.We are releasing 1.25.1 as a security release on May 20 including the relevant fixes.
The overview of the vulnerabilities with a brief description is: CVE-2026-33278 - severity: CRITICAL Possible remote code execution during DNSSEC validation CVE-2026-42944 - severity: HIGH Heap overflow and crash with multiple nsid, cookie, padding EDNS options CVE-2026-42959 - severity: HIGH Crash during DNSSEC validation of malicious content CVE-2026-32792 - severity: MEDIUM Packet of death with DNSCrypt (feasibility very low) CVE-2026-40622 - severity: MEDIUM "Ghost domain name" variant CVE-2026-41292 - severity: MEDIUM Parsing a long list of incoming EDNS options degrades performance CVE-2026-42534 - severity: MEDIUM Jostle logic bypass degrades resolution performance CVE-2026-42923 - severity: MEDIUM Degradation of service with unbounded NSEC3 hash calculations CVE-2026-42960 - severity: MEDIUM Possible cache poisoning attack while following delegation CVE-2026-44390 - severity: MEDIUM Unbounded name compression in certain cases causes degradation of service CVE-2026-44608 - severity: MEDIUM Use after free and crash in RPZ code (special requirements apply) More information about the vulnerabilities can be found at: https://nlnetlabs.nl/projects/unbound/security-advisories/ Best regards, -- Yorgos, on behalf of the Unbound team. ** This email is signed. Keys of the NLnet Labs people are published on https://www.nlnetlabs.nl/people/ **
OpenPGP_signature.asc
Description: OpenPGP digital signature
