NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options (nsid, answer-cookie, pad-responses (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Unbound | Nlnetlabs | 1.14.0 (including) | 1.25.1 (excluding) |
| Red Hat Enterprise Linux 10 | RedHat | unbound-0:1.24.2-7.el10_2.1 | * |
| Red Hat Enterprise Linux 8 | RedHat | unbound-0:1.16.2-5.11.el8_10 | * |
| Red Hat Enterprise Linux 9 | RedHat | unbound-0:1.24.2-3.el9_8.1 | * |
| Red Hat Hardened Images | RedHat | unbound-main-1.25.1-0.1.hum1 | * |
| Unbound | Ubuntu | devel | * |
| Unbound | Ubuntu | esm-infra/xenial | * |
| Unbound | Ubuntu | noble | * |
| Unbound | Ubuntu | questing | * |
| Unbound | Ubuntu | resolute | * |