Critical Unbound DNS Resolver Vulnerabilities Patched Across Ubuntu LTS Releases
Ubuntu has released security updates addressing multiple vulnerabilities in Unbound, a widely-used DNS resolver, affecting Ubuntu 14.04 through 20.04 LTS. The flaws range from denial-of-service conditions to potential arbitrary code execution through improper DNSSEC validation.
TL;DR
- Multiple CVEs patched in Unbound DNS resolver across Ubuntu 14.04, 16.04, 18.04, and 20.04 LTS
- DNSCrypt packet handling flaw can trigger remote denial of service
- DNSSEC validation bypass may allow arbitrary code execution in certain configurations
- Ghost domain name record mishandling and EDNS option processing issues also addressed
- Immediate patching recommended for systems running affected Ubuntu versions
Ubuntu has released follow-up security updates (USN-8282-2) addressing multiple vulnerabilities in Unbound, a popular open-source DNS resolver used in many enterprise and infrastructure deployments. The advisory covers CVE-2026-41292, CVE-2026-42959, and CVE-2026-42960, with patches now available for Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS.
The vulnerabilities span several attack vectors: improper handling of DNSCrypt packets that can crash the resolver, incorrect DNSSEC validation logic that may permit arbitrary code execution, and flawed processing of ghost domain records and extended DNS option lists. Organizations relying on Unbound for DNS resolution should prioritize applying these updates to prevent potential service disruptions and security breaches.
Vulnerability Details
- CVE-2026-32792: Remote attacker can crash Unbound via malformed DNSCrypt packets, causing denial of service
- CVE-2026-33278: DNSSEC validation bypass may enable arbitrary code execution in vulnerable configurations
- CVE-2026-40622: Ghost domain name record mishandling allows remote denial of service attacks
- Unbound fails to properly limit processing of long EDNS option lists, creating resource exhaustion risk
Affected Systems and Mitigation
- Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, and 20.04 LTS all require security updates
- System administrators should apply patches immediately to prevent exploitation
- DNS resolver availability is critical infrastructure; unpatched systems face DoS and potential compromise
- Organizations should verify Unbound version post-patch to confirm successful remediation
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.