-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:33.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE)
2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2)
2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923,
CVE-2026-42944, CVE-2026-42959, CVE-2026-42960,
CVE-2026-44390, CVE-2026-44608
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Unbound is a validating, recursive, and caching DNS resolver
included in the FreeBSD base system as an optional service called
local_unbound.
II. Problem Description
Multiple vulnerabilities have been reported in Unbound. Instead of
listing detailed writeups for each issue, please see the upstream
advisories referenced below.
CVE-2026-33278 - Possible remote code execution during DNSSEC
validation
CVE-2026-42944 - Heap overflow and crash with multiple nsid,
cookie, padding EDNS options
CVE-2026-42959 - Crash during DNSSEC validation of malicious
content
CVE-2026-32792 - Packet of death with DNSCrypt
CVE-2026-44608 - Use-after-free and crash in RPZ code
CVE-2026-40622 - "Ghost domain name" variant
CVE-2026-42960 - Possible cache poisoning while following
delegation
CVE-2026-41292 - Parsing a long list of incoming EDNS options
degrades performance
CVE-2026-42534 - Jostle logic bypass degrades resolution
performance
CVE-2026-42923 - Degradation of service with unbounded NSEC3 hash
calculations
CVE-2026-44390 - Unbounded name compression causes degradation of
service
III. Impact
The issues range from Denial of Service (DoS) through resource exhaustion or
crashes to possible remote code execution during DNSSEC validation. See the
upstream Unbound advisories for specific details.
IV. Workaround
No workaround is available. Systems not running the local_unbound service
are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and restart the local_unbound service.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:33/unbound.patch
# fetch https://security.FreeBSD.org/patches/SA-26:33/unbound.patch.asc
# gpg --verify unbound.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ d2a10ff4cb84 stable/15-n283689
releng/15.1/ 1b6c85cfac36 releng/15.1-n283539
releng/15.0/ 6160bd311a1b releng/15.0-n281060
stable/14/ de9d7a2ab8f5 stable/14-n274187
releng/14.4/ 857abc12945a releng/14.4-n273722
releng/14.3/ a68c183e0ad2 releng/14.3-n271522
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWwbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5ZcQAMqhP1F0oVdGJ4ZlTusj
An1CAKA3CO3TKt6jrbnTbnw4s1+9kKjwABGcrZw/0sdoq+e0DzhlG8uI9Pol46d8
ANgWVa0T2d4rTDxCRJZZsqxqDfd3PwpGbUPzNNptxnJxWSR5j87m0N6PcMddCBFc
BKg8vdeOJDPky+khcNwXG/g52HcNheXPqzTgq1IMuYrNId4Xrp6pnKbpIPeEYXgj
6+GWIBz20B1qtEwNnjkDdqoHYK143SZcZzapO9QFmo+Su/tVJ+/ymEtFcY7Ze7JB
Hm8jiBIX3S7emFLyUPvAAiY5Oh84IgpazGXhljDGc8R9Wt/ipoDfBSYmGUl9ZNFH
0haadzi5JdQmbqCANURXc7t81miGEI4LDKTcJaIkP0ITVxktENyr5YIpSh/OQEI0
NbAI+ASPp8eVI15YxVaKd0HIdjsGZPY0eRQymMAC55yponTu35aKFc+RG2xCVZat
JPzrp50ZjmTxNMFt1MMPgZTZQxQC14iONT8LVymnG7cgAsjXGw2X7gjRWRMdC4Hb
EezcuwDnHwYAWzD41+1W7WpyMXXdCW8gaIpcLzl41egTpTe932J++9va7RU1R86e
VlqcpvxmEtu7shIvepFHi12l2JNsqsYLmhsYVoUJsMAOHQck2eUXOqfZ4+aQGwye
cL48Uk5LxTjYEHENCtOKOm3e
=7uMj
-----END PGP SIGNATURE-----