These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-44608 describes a locking inconsistency in NLnet Labs Unbound that can lead to a heap use-after-free and eventual crash when specific conditions line up: the resolver is multi-threaded, an RPZ zone uses rpz-nsip or rpz-nsdname triggers, and an XFR reload of that RPZ zone is happening at the same time another thread reads the zone. The issue does not apply to local RPZ files. NLnet Labs states tha [truncated]
CVE-2026-44390 is a denial-of-service issue in NLnet Labs Unbound. According to the vendor advisory and NVD, Unbound up to and including 1.25.0 can spend a considerable amount of CPU time applying name compression to replies containing very large RRsets, especially when the records do not share a suffix above the root. In well-orchestrated attacks, this can degrade performance and eventually lead to servi [truncated]
CVE-2026-42944 is a network-exploitable heap overflow in NLnet Labs Unbound affecting versions 1.14.0 through 1.25.0. The issue can be triggered by a client that can query Unbound and supplies multiple NSID, DNS Cookie, and/or EDNS Padding options, but only when the relevant EDNS features are enabled. NLnet Labs states Unbound 1.25.1 contains the fix.
NLnet Labs Unbound versions 1.19.1 through 1.25.0 contain a DNSSEC validator issue where the negative-cache path for DS records does not apply the NSEC3 hash-calculation limit introduced in 1.19.1. According to the vendor and NVD, this can cause excessive hashing work and hold a global negative-cache lock long enough to block other threads, creating a denial-of-service condition under coordinated attack. [truncated]
CVE-2026-42534 is a network-reachable availability issue in NLnet Labs Unbound up to and including 1.25.0. According to the published CVE description and NVD metadata, duplicate retransmits of the same query can refresh the apparent age of slow queries, which can interfere with Unbound’s jostle logic when the per-thread query limit is reached. The result is degraded resolution performance, and coordinated [truncated]
CVE-2026-41292 affects NLnet Labs Unbound up to and including 1.25.0. A remote attacker can send queries with excessive EDNS options to keep Unbound threads busy while the resolver parses the options and builds internal data structures, which can degrade service or cause denial of service. Unbound 1.25.1 includes a fix that limits acceptable incoming EDNS options to 100.
CVE-2026-32792 affects NLnet Labs Unbound versions 1.6.2 through 1.25.0 when compiled with DNSCrypt support (--enable-dnscrypt). According to the vendor and NVD, a single malformed DNSCrypt query whose decrypted plaintext is all 0x00 bytes and lacks the expected 0x80 marker can underflow the packet-reading logic, potentially causing a heap overflow and a crash. NLnet Labs states that version 1.25.1 fixes [truncated]
