CVE-2026-40622

MEDIUM EPSS 6.8%
Published May 20, 20261mo ago · Modified Jun 17, 20261w ago
6.6 CVSS 4.0
Medium
Find Similar
Published May 20, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.

CVSS Details

Base Score
6.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
6.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-346

Affected Products 1

VendorProductVersionRange
nlnetlabsunbound*≥1.16.2  –  <1.25.1

References 1

  • nlnetlabs.nl https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt
    PatchVendor Advisory

Remediation

  • nlnetlabs.nl https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt
    PatchVendor Advisory