PatchSiren cyber security CVE debrief
CVE-2026-40622 NLnet Labs CVE debrief
CVE-2026-40622 describes a DNS resolver integrity issue in NLnet Labs Unbound affecting versions 1.16.2 through 1.25.0. In the described ghost-domain attack family, a remote adversary who controls a ghost zone and can query a vulnerable resolver may cause an expired parent-side referral NS RRset in cache to be replaced with a child-side apex NS RRset, extending the ghost-domain window by up to one configured cached TTL value. The vendor notes that Unbound 1.25.1 contains the fix. The issue is more directly triggered when the resolver receives a client NS query; in configurations using harden-referral-path: yes, Unbound may perform that query implicitly.
- Vendor
- NLnet Labs
- Product
- Unbound
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Operators and maintainers of Unbound recursive resolvers, especially those running versions 1.16.2 through 1.25.0. Pay particular attention if your resolver is exposed to untrusted clients, if you rely on cache TTL limits such as cache-max-ttl, or if you use the non-default harden-referral-path: yes setting.
Technical summary
The reported flaw is a ghost-domain-family cache integrity problem. According to the advisory text, an attacker controlling a ghost zone and able to query a vulnerable Unbound instance can cause the resolver to overwrite a cached expired parent-side referral NS RRset with a child-side apex NS RRset. That can extend the period during which the ghost-domain condition persists by up to one cached TTL value configured by cache-max-ttl. The advisory further states that when harden-referral-path: yes is enabled, a client NS query is not required because Unbound implicitly performs that query. The fix in 1.25.1 prevents extension of TTLs for parent NS records regardless of trust.
Defensive priority
Medium. The issue is remotely triggerable under specific conditions and affects DNS cache integrity, but the attack requires control of a ghost zone and query reachability to a vulnerable resolver. Priority increases for publicly reachable recursive resolvers and environments that depend on strict referral validation or cache freshness guarantees.
Recommended defensive actions
- Upgrade Unbound to 1.25.1 or later as soon as practical.
- Review whether affected resolvers are exposed to untrusted clients or external networks.
- Check whether harden-referral-path: yes is enabled on production resolvers and assess the impact for your environment.
- Validate cache-related settings such as cache-max-ttl in light of the advisory's described TTL-extension behavior.
- Monitor vendor guidance and release notes for any additional mitigation or backport information.
Evidence notes
This debrief is based only on the supplied NVD record and the referenced official NLnet Labs advisory path. The supplied source text states that Unbound 1.16.2 through 1.25.0 are affected and that 1.25.1 contains the fix. It also states the attack conditions, the ghost-domain family behavior, and the role of harden-referral-path: yes. No additional product scope, exploit detail, or environmental impact beyond the provided corpus has been added.
Official resources
-
CVE-2026-40622 CVE record
CVE.org
-
CVE-2026-40622 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published 2026-05-20T10:16:26.850Z and modified 2026-05-20T14:02:12.280Z. The supplied corpus attributes the issue to NLnet Labs Unbound and states that version 1.25.1 contains the fix.