PatchSiren cyber security CVE debrief
CVE-2026-44390 NLnet Labs CVE debrief
CVE-2026-44390 is a denial-of-service issue in NLnet Labs Unbound. According to the vendor advisory and NVD, Unbound up to and including 1.25.0 can spend a considerable amount of CPU time applying name compression to replies containing very large RRsets, especially when the records do not share a suffix above the root. In well-orchestrated attacks, this can degrade performance and eventually lead to service denial. Unbound 1.25.1 contains the fix, and the vendor describes it as a complement to CVE-2024-8508.
- Vendor
- NLnet Labs
- Product
- Unbound
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Operators running NLnet Labs Unbound recursive resolvers, especially environments exposed to untrusted upstream responses or zones that may trigger unusually large RRsets. SRE, DNS platform, and network security teams should prioritize this if they manage Unbound versions at or below 1.25.0.
Technical summary
The issue is triggered during response construction when Unbound tries to apply name compression to downstream replies. For specially crafted zones with very large RRsets, the compression process could become effectively unbounded and consume CPU until packet assembly completes. A prior compression limit added in 1.21.1 did not fully account for cases where records share no suffix above the root, causing a different code path where the compression counter was not incremented. The 1.25.1 fix increments the compression counter regardless of compression tree lookup outcome. NVD classifies the weakness as CWE-407 and lists the affected version range as all Unbound versions through 1.25.0.
Defensive priority
High for exposed Unbound deployments. The impact is availability-focused and network-triggerable, and the vendor-supplied fix is already available in 1.25.1.
Recommended defensive actions
- Upgrade NLnet Labs Unbound to version 1.25.1 or later as soon as practical.
- Verify whether any resolver instances are still running Unbound 1.25.0 or earlier, including packaged or embedded deployments.
- Monitor DNS resolver CPU usage and query latency for signs of compression-related exhaustion or sustained high load.
- Review upstream and zone sources that could produce unusually large RRsets, and restrict exposure where possible.
- Track CVE-2024-8508 together with this advisory because the vendor describes CVE-2026-44390 as a complement fix.
Evidence notes
This debrief is based only on the supplied NVD record and the linked NLnet Labs advisory. The NVD record lists Unbound versions ending before 1.25.1 as vulnerable, with a CVSS 4.0 vector indicating network-reachable availability impact. The vendor advisory states that 1.25.1 fixes the issue by incrementing the compression counter regardless of compression tree lookup, and it characterizes the issue as a complement to CVE-2024-8508. CVE published and modified timestamps supplied here are both 2026-05-20; those dates are used as the disclosure context for this record.
Official resources
-
CVE-2026-44390 CVE record
CVE.org
-
CVE-2026-44390 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
CVE published and last modified on 2026-05-20 in the supplied record; vendor advisory and NVD reference Unbound 1.25.1 as the fixed release.