Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: NLnet Labs has Addressed Multiple Vulnerabilities in the Unbound DNS Resolver that could Enable Denial-of-Service, Patch Immediately!
Image
Publié : 21/05/2026
- Last update: 21/05/2026
- Affected software:
→ Unbound DNS resolver, versions up to and including 1.25.0.- Type:
→ Denial of Service (DoS)
→ Remote Code Execution (RCE)- CVE/CVSS
→ CVE-2026-33278: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2026-42944: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
→ CVE-2026-42959: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources
NLnet Labs - https://nlnetlabs.nl/projects/unbound/security-advisories/
NLnet Labs - https://nlnetlabs.nl/downloads/unbound/CVE-2026-33278.txt
NLnet Labs - https://nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt
NLnet Labs - https://nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txt
Risks
CVE-2026-33278 is a critical vulnerability affecting the Unbound DNSSEC validator. Exploitation of this vulnerability could enable denial of service and, potentially, the execution of arbitrary code.
CVE-2026-42944 is heap overflow vulnerability affecting Unbound. An unauthenticated attacker can query Unbound with multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to trigger a heap overflow that causes the unbound service to crash, which results in a denial of service.
CVE-2026-42959 is denial of service vulnerability was found in Unbound DNSSEC. Exploitation of this vulnerability results in an immediate crash of the Unbound process, causing a complete denial of service for DNS resolution on the affected system
There is no evidence of proof of exploitation of the vulnerabilities at the moment.
Description
NLnet Labs has disclosed several vulnerabilities affecting Unbound DNS resolver which could result in denial-of-service (DoS).
CVE-2026-33278 is a critical vulnerability with a CVSS score 9.8 affecting Unbound 1.19.1 through 1.25.0. This vulnerability exists in the DNSSEC validator during NSEC3 validation handling and is caused by an incorrect deep-copy operation. A crafted DNSSEC response can trigger access to freed memory, leading to crashes or possible remote code execution.
CVE-2026-42944 is heap overflow vulnerability, in EDNS reply packet encoding, affecting Unbound versions 1.14.0 through 1.25.0. The flaw is caused by incorrect EDNS size calculations when handling multiple NSID, DNS Cookie, or EDNS Padding options. A remote unauthenticated attacker can trigger the issue by sending specially crafted DNS queries. Exploitation can crash the service, resulting in a denial-of-service condition.
CVE-2026-42959 is denial-of-service vulnerability existing in Unbound up to version 1.25.0 within the DNSSEC validator. This issue arises from incorrect counter usage when calculating write offsets for ADDITIONAL section RRsets during chase-reply construction. DNAME duplication and AUTHORITY filtering can create uninitialized array slots, leading to invalid memory references. An attacker controlling a DNSSEC-signed domain can trigger the bug with a single crafted query, resulting in an immediate process crash.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.