CVE-2026-44608

Use after free and crash under special conditions in RPZ code

Assigner: NLnet Labs
Reserved: 07.05.2026 Published: 20.05.2026 Updated: 20.05.2026

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVSS Score: 4.6

RPZ configuration with vulnerable RPZ zone

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

RPZ configuration with vulnerable RPZ zone

CVSS 4.0

Product Status

Vendor	NLnet Labs
Product	Unbound
Versions	Default: unaffected affected from 1.14.0 to 1.25.1 (excl.)

Vendor

NLnet Labs

Product

Unbound

Versions

Default: unaffected

affected from 1.14.0 to 1.25.1 (excl.)

Solutions

This issue is fixed starting with version 1.25.1

Credits

Qifan Zhang (Palo Alto Networks) finder

References

Problem Types

CWE-413: Improper Resource Locking CWE