PatchSiren cyber security CVE debrief
CVE-2026-44608 NLnet Labs CVE debrief
CVE-2026-44608 describes a locking inconsistency in NLnet Labs Unbound that can lead to a heap use-after-free and eventual crash when specific conditions line up: the resolver is multi-threaded, an RPZ zone uses rpz-nsip or rpz-nsdname triggers, and an XFR reload of that RPZ zone is happening at the same time another thread reads the zone. The issue does not apply to local RPZ files. NLnet Labs states that Unbound 1.25.1 includes a fix to the locking code.
- Vendor
- NLnet Labs
- Product
- Unbound
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Operators running affected Unbound versions in multi-threaded configurations, especially those using Response Policy Zone (RPZ) zones with rpz-nsip or rpz-nsdname triggers and zone transfers (XFR) for policy updates. Resolvers that do not use these conditions are less exposed, and local RPZ files are specifically noted as not triggering the vulnerability.
Technical summary
NVD lists affected versions as Unbound 1.14.0 through 1.25.0 and cites CWE-413 (Improper Resource Locking). The vendor description indicates that during an RPZ XFR reload, one thread may not hold the lock long enough while another thread applies the update. If the updater frees objects that a reader thread is about to traverse, a heap use-after-free can occur, resulting in a crash. The CVSS v4.0 vector is AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H, reflecting remote reachability but requiring specific operational conditions.
Defensive priority
Medium. The issue is not described as code-execution capable in the supplied material, but it can cause denial of service in exposed resolver deployments with the stated RPZ/XFR/threading setup.
Recommended defensive actions
- Upgrade Unbound to 1.25.1 or later, per the vendor advisory and NVD version bounds.
- Review whether your deployment uses multi-threading together with RPZ zones that rely on rpz-nsip or rpz-nsdname triggers and XFR-based reloads.
- If immediate upgrade is not possible, reduce exposure by reassessing RPZ update architecture and avoiding the vulnerable combination of concurrent XFR reloads and the affected trigger types.
- Validate monitoring and restart procedures for resolver crashes so a denial-of-service event can be recovered quickly.
- Track the vendor advisory for any additional guidance specific to your deployment model.
Evidence notes
All substantive claims in this debrief are taken from the supplied NVD record and the linked NLnet Labs advisory reference. The NVD entry states the affected version range (1.14.0 through 1.25.0), the CWE classification (CWE-413), and the CVSS 4.0 vector. The vendor description in the supplied corpus states the triggering conditions, notes that local RPZ files do not trigger the vulnerability, and identifies Unbound 1.25.1 as containing the fix. No exploit steps or unsupported impact claims are included.
Official resources
-
CVE-2026-44608 CVE record
CVE.org
-
CVE-2026-44608 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
Published by NVD on 2026-05-20 and last modified the same day in the supplied record. The vendor advisory reference linked in the source corpus is dated by the same disclosure window; use the vendor and NVD pages for the authoritative advis