CVE-2026-44608 — Vulnetix

CVE-2026-44608 PUBLISHED CVSS 4.599999904632568 MEDIUM

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

EPSS 0.05% · 16.8th percentile

Risk Scores

CVSS v4.0

4.599999904632568

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

EPSS Score

0.05%

16.8th percentile

Affected Products

Vendor	Product	Versions
nlnetlabs	unbound	1.14.0
NLnet Labs	Unbound	1.14.0

Timeline

May 20, 2026 EPSS Score
May 20, 2026 CVE Published
May 20, 2026 PoC Published
May 20, 2026 PoC Published
May 20, 2026 CVE Updated
May 21, 2026 EPSS Score
May 21, 2026 Coalition ESS Score
May 21, 2026 Security Advisory
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-44608 advisory

Open in Interactive Console →