Lucene search
K

EulerOS 2.0 SP12 : unbound (EulerOS-SA-2026-2574)

🗓️ 10 Jul 2026 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 2 Views

EulerOS Unbound cache poisoning and ghost attacks; fix in Unbound 1.25.1; affected up to 1.25.0

Related
Refs
Code
ReporterTitlePublishedViews
Family
FreeBSD
Unbound -- Multiple vulnerabilities
20 May 202600:00
freebsd
FreeBSD
FreeBSD -- Multiple vulnerabilities in unbound
9 Jun 202600:00
freebsd
ATTACKERKB
CVE-2026-33278
20 May 202609:18
attackerkb
ATTACKERKB
CVE-2026-41292
20 May 202609:19
attackerkb
ATTACKERKB
CVE-2026-42959
20 May 202609:20
attackerkb
ATTACKERKB
CVE-2026-42960
20 May 202609:21
attackerkb
ATTACKERKB
CVE-2026-40622
20 May 202609:18
attackerkb
Tenable Nessus
Amazon Linux 2023 : python3-unbound, unbound, unbound-anchor (ALAS2023-2026-1756)
27 May 202600:00
nessus
Tenable Nessus
Amazon Linux 2 : unbound, --advisory ALAS2-2026-3322 (ALAS-2026-3322)
8 Jun 202600:00
nessus
Tenable Nessus
Alibaba Cloud Linux 3 : 0156: unbound (ALINUX3-SA-2026:0156)
16 Jun 202600:00
nessus
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(326203);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/07/10");

  script_cve_id(
    "CVE-2026-33278",
    "CVE-2026-40622",
    "CVE-2026-41292",
    "CVE-2026-42959",
    "CVE-2026-42960"
  );

  script_name(english:"EulerOS 2.0 SP12 : unbound (EulerOS-SA-2026-2574)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the unbound packages installed, the EulerOS installation on the remote host is affected by
the following vulnerabilities :

    NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records
    for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be
    used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply
    (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor
    can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by
    address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or
    fragmentation attacks. Unbound would then accept the relative address records in the additional section
    and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the
    delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the
    additional section if they are not explicitly relevant only to authority NS records, mitigating the
    possible poison effect. This is a complement fix to CVE-2025-11411.(CVE-2026-42960)

    NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain
    names' family of attacks that could extend the ghost domain window by up to one cached TTL configured
    value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be
    able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached
    expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost
    domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-
    referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound
    implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension
    of TTLs for (parent) NS records regardless of their trust.(CVE-2026-40622)

    NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack
    related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS
    options can hold Unbound threads hostage while they are parsing and creating internal data structures for
    the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1
    contains a patch with a fix to limit acceptable incoming EDNS options (100).(CVE-2026-41292)

    NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC
    validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply
    messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section
    rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease
    the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator
    later dereferences this uninitialized pointer, causing an immediate process crash. An adversary
    controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain
    with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue
    records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write
    offsets.(CVE-2026-42959)

    NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator
    that enables denial of service and possible remote code execution as a result of deep copying a data
    structure and erroneously overwriting a destination pointer. An adversary can exploit the vulnerability by
    controlling a malicious signed zone and querying a vulnerable Unbound. When DS sub-queries need to suspend
    validation due to NSEC3 computational budget exhaustion (introduced in Unbound 1.19.1), Unbound deep-
    copies response messages to preserve them across memory region teardown. A struct-assignment bug
    overwrites the destination's pointer with the source's pointer. After the sub-query region is freed, the
    resumed validator dereferences this dangling pointer, triggering a crash or potentially enabling arbitrary
    code execution. Unbound 1.25.1 contains a patch with a fix to preserve the correct pointer when deep
    copying the data structure.(CVE-2026-33278)

Tenable has extracted the preceding description block directly from the EulerOS unbound security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2026-2574
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?216aa796");
  script_set_attribute(attribute:"solution", value:
"Update the affected unbound packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33278");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-42960");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/07/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:unbound");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:unbound-help");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:unbound-libs");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(12)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP12", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "python3-unbound-1.13.2-7.h14.eulerosv2r12",
  "unbound-1.13.2-7.h14.eulerosv2r12",
  "unbound-help-1.13.2-7.h14.eulerosv2r12",
  "unbound-libs-1.13.2-7.h14.eulerosv2r12"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"12", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "unbound");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

10 Jul 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 3.18.1 - 10
CVSS 410
EPSS0.01272
SSVC
2