| Reporter | Title | Published | Views | Family All 206 |
|---|---|---|---|---|
| Unbound -- Multiple vulnerabilities | 20 May 202600:00 | – | freebsd | |
| FreeBSD -- Multiple vulnerabilities in unbound | 9 Jun 202600:00 | – | freebsd | |
| CVE-2026-33278 | 20 May 202609:18 | – | attackerkb | |
| CVE-2026-41292 | 20 May 202609:19 | – | attackerkb | |
| CVE-2026-42959 | 20 May 202609:20 | – | attackerkb | |
| CVE-2026-42960 | 20 May 202609:21 | – | attackerkb | |
| CVE-2026-40622 | 20 May 202609:18 | – | attackerkb | |
| Amazon Linux 2023 : python3-unbound, unbound, unbound-anchor (ALAS2023-2026-1756) | 27 May 202600:00 | – | nessus | |
| Amazon Linux 2 : unbound, --advisory ALAS2-2026-3322 (ALAS-2026-3322) | 8 Jun 202600:00 | – | nessus | |
| Alibaba Cloud Linux 3 : 0156: unbound (ALINUX3-SA-2026:0156) | 16 Jun 202600:00 | – | nessus |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(326203);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/10");
script_cve_id(
"CVE-2026-33278",
"CVE-2026-40622",
"CVE-2026-41292",
"CVE-2026-42959",
"CVE-2026-42960"
);
script_name(english:"EulerOS 2.0 SP12 : unbound (EulerOS-SA-2026-2574)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the unbound packages installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records
for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be
used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply
(i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor
can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by
address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or
fragmentation attacks. Unbound would then accept the relative address records in the additional section
and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the
delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the
additional section if they are not explicitly relevant only to authority NS records, mitigating the
possible poison effect. This is a complement fix to CVE-2025-11411.(CVE-2026-42960)
NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain
names' family of attacks that could extend the ghost domain window by up to one cached TTL configured
value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be
able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached
expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost
domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-
referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound
implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension
of TTLs for (parent) NS records regardless of their trust.(CVE-2026-40622)
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack
related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS
options can hold Unbound threads hostage while they are parsing and creating internal data structures for
the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1
contains a patch with a fix to limit acceptable incoming EDNS options (100).(CVE-2026-41292)
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC
validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply
messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section
rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease
the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator
later dereferences this uninitialized pointer, causing an immediate process crash. An adversary
controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain
with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue
records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write
offsets.(CVE-2026-42959)
NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator
that enables denial of service and possible remote code execution as a result of deep copying a data
structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by
controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend
validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-
copies response messages to preserve them across memory region teardown. A struct-assignment bug
overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the
resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary
code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep
copying the data structure.(CVE-2026-33278)
Tenable has extracted the preceding description block directly from the EulerOS unbound security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-2574
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?216aa796");
script_set_attribute(attribute:"solution", value:
"Update the affected unbound packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H");
script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33278");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-42960");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/20");
script_set_attribute(attribute:"patch_publication_date", value:"2026/07/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-unbound");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:unbound");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:unbound-help");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:unbound-libs");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(12)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"python3-unbound-1.13.2-7.h14.eulerosv2r12",
"unbound-1.13.2-7.h14.eulerosv2r12",
"unbound-help-1.13.2-7.h14.eulerosv2r12",
"unbound-libs-1.13.2-7.h14.eulerosv2r12"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"12", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unbound");
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation