CVE-2026-40622 — Vulnetix

CVE-2026-40622 PUBLISHED CVSS 6.599999904632568 MEDIUM

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.

EPSS 0.02% · 5.8th percentile

Risk Scores

CVSS v4.0

6.599999904632568

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

EPSS Score

0.02%

5.8th percentile

Affected Products

Vendor	Product	Versions
NLnet Labs	Unbound	1.16.2

Timeline

May 20, 2026 EPSS Score
May 20, 2026 CVE Published
May 20, 2026 PoC Published
May 20, 2026 PoC Published
May 20, 2026 CVE Updated
May 21, 2026 EPSS Score
May 21, 2026 Coalition ESS Score
May 21, 2026 Security Advisory
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-40622 advisory

Open in Interactive Console →