The CVE number for this vulnerability is CVE-2025-11411. Several multi-vendor cache poisoning vulnerabilities have been discovered in caching resolvers for non-DNSSEC protected data. Unbound is vulnerable for some of these cases that could lead to domain hijacking. == Summary Promiscuous NS RRSets that complement DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. If a malicious actor is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache for the delegation point. Unbound 1.24.1 includes a fix to mitigate the poison attempt. Unbound 1.24.2 includes an additional fix to mitigate the poison attempt through YXDOMAIN and nodata non-referral answers. == Affected products Unbound up to and including version 1.24.1. == Description A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies as well, mitigating the possible poison effect. == Mitigation === Downloading patched version Unbound 1.24.2 is released with the patch https://nlnetlabs.nl/downloads/unbound/unbound-1.24.2.tar.gz === Applying the patch manually For Unbound 1.24.0 the patch is: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_option_tests.diff Note that this only addresses part of the vulnerability, the other part is addressed by the following patch. For Unbound 1.24.1 the patch is: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2025-11411_2_wtests.diff Apply the patch(es) on the Unbound source directory with: patch -p1 < patch_CVE-2025-11411_option_tests.diff and/or patch -p1 < patch_CVE-2025-11411_2_wtests.diff then run 'make install' to install Unbound. The patches are tested to work on Unbound 1.24.0 and 1.24.1 respectively. == Acknowledgments We would like to thank Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan from Tsinghua University for discovering and responsibly disclosing the vulnerability. Additional thanks go to TaoFei Guo from Peking University, Yang Luo and JianJun Chen from Tsinghua University for discovering and responsibly disclosing the partial mitigation of CVE-2025-11411 in Unbound 1.24.1.