9f7139d09a59082362a77e53ebd060386d21a99b blob 1832
Candidate: CVE-2025-11411
PublicDate: 2025-10-22 13:15:00 UTC
References:
 https://www.cve.org/CVERecord?id=CVE-2025-11411
 https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
Description:
 NLnet Labs Unbound up to and including version 1.24.0 is vulnerable to
 possible domain hijack attacks. Promiscuous NS RRSets that complement
 positive DNS replies in the authority section can be used to trick
 resolvers to update their delegation information for the zone. Usually
 these RRSets are used to update the resolver's knowledge of the zone's name
 servers. A malicious actor can exploit the possible poisonous effect by
 injecting NS RRSets (and possibly their respective address records) in a
 reply. This could be done for example by trying to spoof a packet or
 fragmentation attacks. Unbound would then proceed to update the NS RRSet
 data it already has since the new data has enough trust for it, i.e.,
 in-zone data for the delegation point. Unbound 1.24.1 includes a fix that
 scrubs unsolicited NS RRSets (and their respective address records) from
 replies mitigating the possible poison effect.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Yuxiao Wu, Yunyi Zhang, Baojun Liu, and Haixin Duan
Assigned-to: mdeslaur(main)
CVSS:
 nlnetlabs: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P [5.7 MEDIUM]

Patches_unbound:
 upstream: https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852
upstream_unbound: released (1.24.1-1)
esm-infra-legacy/trusty_unbound: needs-triage
esm-infra/xenial_unbound: needs-triage
esm-infra/bionic_unbound: needs-triage
esm-infra/focal_unbound: needs-triage
jammy_unbound: needs-triage
noble_unbound: needs-triage
plucky_unbound: needs-triage
questing_unbound: needs-triage
devel_unbound: needs-triage

