CVE-2026-40622 (GCVE-0-2026-40622)
Vulnerability from cvelistv5
Published
2026-05-20 09:18
Modified
2026-05-20 12:12
Severity ?
6.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
Summary
NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
References
Impacted products
Vendor Product Version
NLnet Labs Unbound Version: 1.16.2   
Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40622",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T12:12:27.631955Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-346",
                "description": "CWE-346 Origin Validation Error",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T12:12:33.115Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Unbound",
          "vendor": "NLnet Labs",
          "versions": [
            {
              "lessThan": "1.25.1",
              "status": "affected",
              "version": "1.16.2",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Qifan Zhang (Palo Alto Networks)"
        }
      ],
      "datePublic": "2026-05-20T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the \u0027ghost domain names\u0027 family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other \u0027ghost domain names\u0027 attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value (\u0027cache-max-ttl\u0027). In configurations where \u0027harden-referral-path: yes\u0027 is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber",
            "version": "4.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T09:18:41.816Z",
        "orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
        "shortName": "NLnet Labs"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed starting with version 1.25.1"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-28T00:00:00.000Z",
          "value": "Issue reported by Qifan Zhang"
        },
        {
          "lang": "en",
          "time": "2026-05-07T00:00:00.000Z",
          "value": "NLnet Labs shares patch"
        },
        {
          "lang": "en",
          "time": "2026-05-08T00:00:00.000Z",
          "value": "Qifan Zhang verifies patch"
        },
        {
          "lang": "en",
          "time": "2026-05-20T00:00:00.000Z",
          "value": "Fixes released with version 1.25.1"
        }
      ],
      "title": "Another \u0027ghost domain names\u0027 attack variant",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
    "assignerShortName": "NLnet Labs",
    "cveId": "CVE-2026-40622",
    "datePublished": "2026-05-20T09:18:41.816Z",
    "dateReserved": "2026-05-07T10:07:51.817Z",
    "dateUpdated": "2026-05-20T12:12:33.115Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.