unbound-1.16.2-5.11.el8_10

エラータID: AXSA:2026-768:04

Release date: 
Tuesday, June 9, 2026 - 20:20
Subject: 
unbound-1.16.2-5.11.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The unbound packages provide a validating, recursive, and caching DNS or DNSSEC resolver.

Security Fix(es):

* unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options (CVE-2026-42944)
* unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages (CVE-2026-42959)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-42944
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
CVE-2026-42959
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.

Solution: 

Update packages.

CVEs: 
CVE-2026-42944
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
CVE-2026-42959
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Additional Info: 

N/A

Download: 

SRPMS
  1. unbound-1.16.2-5.11.el8_10.src.rpm
    MD5: cfec02cbb3a55dfda961d8b3464b23e0
    SHA-256: 6d7ab55f91fb561d4a372b3efa501769e9f0fe79218a64f22918ae53bd003e05
    Size: 6.02 MB

Asianux Server 8 for x86_64
  1. python3-unbound-1.16.2-5.11.el8_10.x86_64.rpm
    MD5: 37334345e6730b8bc0e73727f6718896
    SHA-256: 81dcacc376da38c7374590db7cb9bf1b31e3b216d1231a34141ef029b8eca330
    Size: 129.53 kB
  2. unbound-1.16.2-5.11.el8_10.x86_64.rpm
    MD5: 6c25053350294cf4d566a91e4d6f62df
    SHA-256: 84124e688eaf97f6cd94595764e87639f6ffc8cf4f0834bd6ed117e0ca6490af
    Size: 1.00 MB
  3. unbound-devel-1.16.2-5.11.el8_10.i686.rpm
    MD5: 8bd84ba8833608fe2d7939db656ccae3
    SHA-256: b9d9803c463ca0909dbcd9ecb45af8df357f852967f9281f85febe2c10084a8e
    Size: 56.93 kB
  4. unbound-devel-1.16.2-5.11.el8_10.x86_64.rpm
    MD5: b59144b0d949e97051dc41e2887129a3
    SHA-256: c4964f0691d73076ffc1c24e426283b0b60003510b322d836dfc5b939cff20ce
    Size: 56.91 kB
  5. unbound-libs-1.16.2-5.11.el8_10.i686.rpm
    MD5: 1a98b469a728c720755c73aa56efd1f5
    SHA-256: de549d12ec1463383e6c5c7624c84235202469adabda2354ba07bca7183690d4
    Size: 618.10 kB
  6. unbound-libs-1.16.2-5.11.el8_10.x86_64.rpm
    MD5: 31f2ddd252ff4729ef827ef309de201b
    SHA-256: 5976cb2f8be7db1929d53e723512bb5221557d2002586e5f071fb8ae9f786bd8
    Size: 577.55 kB