Home / mailings [USN-8282-1] Unbound vulnerabilities
Posted on 20 May 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8282-1
May 20, 2026
unbound vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in Unbound.
Software Description:
- unbound: validating, recursive, caching DNS resolver
Details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622)
Qifan Zhang discovered that Unbound did not properly limit processing of
long EDNS option lists. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-41292)
Qifan Zhang discovered that Unbound incorrectly handled jostle logic under
certain circumstances. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42534)
Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash
calculations. A remote attacker could possibly use this issue to cause
Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42923)
Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS
options in certain situations. A remote attacker could possibly use this
issue to cause Unbound to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
of malicious content. A remote attacker could possibly use this issue to
cause Unbound to crash, resulting in a denial of service.
(CVE-2026-42959)
TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound
incorrectly handled delegation processing in certain situations. A remote
attacker could possibly use this issue to poison the DNS cache and obtain
sensitive information. (CVE-2026-42960)
Qifan Zhang discovered that Unbound did not properly bound name
compression in certain cases. A remote attacker could possibly use this
issue to cause Unbound to use excessive resources, leading to a denial of
service. (CVE-2026-44390)
Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ
handling. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service, or execute arbitrary code.
This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04
LTS. (CVE-2026-44608)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libunbound8 1.24.2-1ubuntu2.1
unbound 1.24.2-1ubuntu2.1
Ubuntu 25.10
libunbound8 1.22.0-2ubuntu2.3
unbound 1.22.0-2ubuntu2.3
Ubuntu 24.04 LTS
libunbound8 1.19.2-1ubuntu3.8
unbound 1.19.2-1ubuntu3.8
Ubuntu 22.04 LTS
libunbound8 1.13.1-1ubuntu5.15
unbound 1.13.1-1ubuntu5.15
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8282-1
CVE-2026-32792, CVE-2026-33278, CVE-2026-40622, CVE-2026-41292,
CVE-2026-42534, CVE-2026-42923, CVE-2026-42944, CVE-2026-42959,
CVE-2026-42960, CVE-2026-44390, CVE-2026-44608
Package Information:
https://launchpad.net/ubuntu/+source/unbound/1.24.2-1ubuntu2.1
https://launchpad.net/ubuntu/+source/unbound/1.22.0-2ubuntu2.3
https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubuntu3.8
https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubuntu5.15
--===============5768568923810384362==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
