A critical vulnerability in the DNSSEC validator of NLnet Labs Unbound allows for potential remote code execution through memory corruption during sub-query processing.

This is a memory corruption vulnerability within the DNSSEC validator. It occurs when the validator performs a deep copy of data structures, leading to an erroneous pointer overwrite that is triggered when sub-queries are resumed.

Successful exploitation can lead to a crash of the resolver service (Denial of Service) or potentially arbitrary code execution. Given the 9.8 CVSS score, this vulnerability poses a significant risk to the stability and security of DNS infrastructure.

Immediate Action: Upgrade to Unbound version 1.25.1 or later immediately.

Proactive Monitoring: Monitor resolver logs and system resources for unexpected service restarts or abnormal CPU/memory consumption.

Compensating Controls: Ensure Unbound is running in a minimal-privilege environment (e.g., chroot/jail) to limit the impact of a potential code execution event.

Public Exploit Available: false

Administrators must update to the latest version of Unbound immediately. This patch correctly handles data structure copying, effectively mitigating the risk of memory corruption and code execution.