|
|
Log in / Subscribe / Register

Ubuntu alert USN-8282-1 (unbound)



From:
              noreply+usn-bot@canonical.com


To:
              ubuntu-security-announce@lists.ubuntu.com


Subject:
              [USN-8282-1] Unbound vulnerabilities


Date:
              Wed, 20 May 2026 13:48:18 +0000


Message-ID:
              <E1wPhHW-0006po-8k@lists.ubuntu.com>


==========================================================================
Ubuntu Security Notice USN-8282-1
May 20, 2026

unbound vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Unbound.

Software Description:
- unbound: validating, recursive, caching DNS resolver

Details:

Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)

Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)

Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622)

Qifan Zhang discovered that Unbound did not properly limit processing of
long EDNS option lists. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-41292)

Qifan Zhang discovered that Unbound incorrectly handled jostle logic under
certain circumstances. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42534)

Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash
calculations. A remote attacker could possibly use this issue to cause
Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42923)

Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS
options in certain situations. A remote attacker could possibly use this
issue to cause Unbound to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944)

Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
of malicious content. A remote attacker could possibly use this issue to
cause Unbound to crash, resulting in a denial of service.
(CVE-2026-42959)

TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound
incorrectly handled delegation processing in certain situations. A remote
attacker could possibly use this issue to poison the DNS cache and obtain
sensitive information. (CVE-2026-42960)

Qifan Zhang discovered that Unbound did not properly bound name
compression in certain cases. A remote attacker could possibly use this
issue to cause Unbound to use excessive resources, leading to a denial of
service. (CVE-2026-44390)

Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ
handling. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service, or execute arbitrary code.
This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04
LTS. (CVE-2026-44608)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  libunbound8                     1.24.2-1ubuntu2.1
  unbound                         1.24.2-1ubuntu2.1

Ubuntu 25.10
  libunbound8                     1.22.0-2ubuntu2.3
  unbound                         1.22.0-2ubuntu2.3

Ubuntu 24.04 LTS
  libunbound8                     1.19.2-1ubuntu3.8
  unbound                         1.19.2-1ubuntu3.8

Ubuntu 22.04 LTS
  libunbound8                     1.13.1-1ubuntu5.15
  unbound                         1.13.1-1ubuntu5.15

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-8282-1
  CVE-2026-32792, CVE-2026-33278, CVE-2026-40622, CVE-2026-41292,
  CVE-2026-42534, CVE-2026-42923, CVE-2026-42944, CVE-2026-42959,
  CVE-2026-42960, CVE-2026-44390, CVE-2026-44608

Package Information:
  https://launchpad.net/ubuntu/+source/unbound/1.24.2-1ubun...
  https://launchpad.net/ubuntu/+source/unbound/1.22.0-2ubun...
  https://launchpad.net/ubuntu/+source/unbound/1.19.2-1ubun...
  https://launchpad.net/ubuntu/+source/unbound/1.13.1-1ubun...




Attachment: signature.asc (type=application/pgp-signature)

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmoNux4ACgkQcpJm3tlz
hgGfBQ/+O8vX2cgPEAdT9HWtjFelTN7w3GL6ajzEyT8w4ePkgW0fv5jvDhLV8imH
leIPq/Jm7RElTWn6oL3ptwTUO3PbKhYWMacLGV3Nc/ob54V5M4qDpuLisX2rgKMF
KMbhx2lb+sY0lfA3ZdIqt970xYIp8R68abBR/1OQiqqSzwqGbMLJNyoUdmMOM+TU
UjUGpsGIJlYAGspW+oPXE4uHR9KFNNl6n/sVdRt6VcZS85Fu0eUFAsHQOcitcbmW
qrtrkiqeWBTRduUVnpfLUaedklJ8z2wS8adQmssNAHMu35v71PuEdRQlgD2e2Syd
ILX9drckXrDEOekrDycGG7WbMI5qKCEjdRfYhlvLtq+ocUqKOHPpbyNnguIJgcR+
sqZ20KoKnAY69ZZnk7Ok1JCgSd+/eEW2a6rdyStVxBoL2ige6L08S8nv7rHZ7W3s
DmaOP/plK5PsURY1l7Hl8mz8tzgKNnPz2BtgJ0uZp+IFWLo2Uiv4AyeA84qVjBG9
AjVGvvHaNXM3rCN0mdOCqnPeBr0kQskyEs2sscBkOthX5yDeh1chaHWzUZZpTI3b
uDFfqQDFGK3SzC8rh2NNMml/nakwVjJGM99nQlSbG/2DnQbkVlBHgREQNcyUKTR3
16YgHeGvOE5mHtYm/tHwhj7z8opwMsotQHym7GmAly5ZBy8RAZs=
=XJg5
-----END PGP SIGNATURE-----
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds