Ubuntu alert USN-8282-2 (unbound)
| From: | noreply+usn-bot--- via ubuntu-security-announce <ubuntu-security-announce@lists.ubuntu.com> | |
| To: | ubuntu-security-announce@lists.ubuntu.com | |
| Subject: | [USN-8282-2] Unbound vulnerabilities | |
| Date: | Tue, 02 Jun 2026 19:20:08 +0000 | |
| Message-ID: | <E1wUUem-0005Vm-DU@lists.ubuntu.com> | |
| Cc: | noreply+usn-bot@canonical.com |
========================================================================== Ubuntu Security Notice USN-8282-2 June 02, 2026 unbound vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in Unbound. Software Description: - unbound: validating, recursive, caching DNS resolver Details: USN-8282-1 fixed vulnerabilities in Unbound. This update provides the corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: Andrew Griffiths discovered that Unbound did not properly handle certain DNSCrypt packets. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2026-32792) Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation in certain situations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278) Qifan Zhang discovered that Unbound incorrectly handled certain ghost domain name records. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622) Qifan Zhang discovered that Unbound did not properly limit processing of long EDNS option lists. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-41292) Qifan Zhang discovered that Unbound incorrectly handled jostle logic under certain circumstances. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-42534) Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash calculations. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-42923) Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS options in certain situations. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944) Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation of malicious content. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2026-42959) TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound incorrectly handled delegation processing in certain situations. A remote attacker could possibly use this issue to poison the DNS cache and obtain sensitive information. (CVE-2026-42960) Qifan Zhang discovered that Unbound did not properly bound name compression in certain cases. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-44390) Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ handling. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-44608) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS libunbound8 1.9.4-2ubuntu1.11+esm1 Available with Ubuntu Pro unbound 1.9.4-2ubuntu1.11+esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS libunbound2 1.6.7-1ubuntu2.6+esm4 Available with Ubuntu Pro unbound 1.6.7-1ubuntu2.6+esm4 Available with Ubuntu Pro Ubuntu 16.04 LTS libunbound2 1.5.8-1ubuntu1.1+esm3 Available with Ubuntu Pro unbound 1.5.8-1ubuntu1.1+esm3 Available with Ubuntu Pro Ubuntu 14.04 LTS libunbound2 1.4.22-1ubuntu4.14.04.3+esm3 Available with Ubuntu Pro unbound 1.4.22-1ubuntu4.14.04.3+esm3 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8282-2 https://ubuntu.com/security/notices/USN-8282-1 CVE-2026-41292, CVE-2026-42959, CVE-2026-42960
Attachment: signature.asc (type=application/pgp-signature)
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE+8neBLO2Hp/ppPlOcpJm3tlzhgEFAmofLJ0ACgkQcpJm3tlz hgH+qA//cxdHRUmFyY0NPih9w9D+eEeDch+4IMFBrveYEc8T09DmdBwSfDXWlRGQ UaaGHXsmrRlZWja7HSxrnptjHQ8+YitMWNLK079Hn8u2JlXwa0BVi5Dbn1aub+++ VmKmKn1SlhGQ+U34RErE83ulBBlLvyUY+gFjlpARyyrwLauepZf65u6F2NGXRGrF recxHOA7LJrMdbFfDJrg04oY8c+GNVC3wewN9hXqJxos1eD+WEHjDc/fGNRaY9A0 IA51So4MoUA0NcvE3HMY9rn86gE3iQExwHOdGWRbOXaqv3CbjrpfG0SZE1oqglya CGYDrL2F+rJ3sTFc3mUfIDgKl2tanLc8owehhXLseDwxf9RkjxDes2f3XPxJ6yNp Ozx1Hil5rEQcXzavngg3qNBxRqr23LHYPbgEvuqO8K5brmgd2vgHlEavyazJJC+n 1SY+uGMqA+UL5qmYvPoRj9aMcm4urYw3pxm0O2kLKZ+YxQzvCpHP0P3rxK00Gvee e6RWSAz6uJrtQeUBhwWIBg9L1ih5D5r/vRXdz3kqlKB6kajkNDFijlK1XIW/WGU9 k9BngXbsu6RjAX37YoktUo6h5nfTgyvd9n3kUi06W393OtkkSh74KxHbrANulmvu 5phHqK25NCLoYujGVBVZcoStm6QI5bA9wUauQ+G+9NjtWUuwgFk= =GWHr -----END PGP SIGNATURE-----