Problem Description:
Multiple vulnerabilities have been reported in Unbound. Instead
of listing detailed writeups for each issue, please see the upstream
advisories referenced below.
- CVE-2026-32792: Packet of death with DNSCrypt
- CVE-2026-33278: Possible remote code execution during DNSSEC validation
- CVE-2026-40622: "Ghost domain name" variant
- CVE-2026-41292: Parsing a long list of incoming EDNS options degrades performance
- CVE-2026-42534: Jostle logic bypass degrades resolution performance
- CVE-2026-42923: Degradation of service with unbounded NSEC3 hash calculations
- CVE-2026-42944: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
- CVE-2026-42959: Crash during DNSSEC validation of malicious content
- CVE-2026-42960: Possible cache poisoning while following delegation
- CVE-2026-44390: Unbounded name compression causes degradation of service
- CVE-2026-44608: Use-after-free and crash in RPZ code
Impact:
The issues range from Denial of Service (DoS) through resource
exhaustion or crashes to possible remote code execution during
DNSSEC validation. See the upstream Unbound advisories for specific
details.