Unbound vulnerabilities
Published: Tue, 02 Jun 2026 18:26
Summary
Several security issues were fixed in Unbound.
Details
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu 20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS. Original advisory details: Andrew Griffiths discovered that Unbound did not properly handle certain DNSCrypt packets. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2026-32792) Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation in certain situations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278) Qifan Zhang discovered that Unbound incorrectly handled certain ghost domain name records. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622) Qifan Zhang discovered that Unbound did not properly limit processing of long EDNS option lists. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-41292) Qifan Zhang discovered that Unbound incorrectly handled jostle logic under certain circumstances. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-42534) Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash calculations. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-42923) Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS options in certain situations. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944) Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation of malicious content. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service. (CVE-2026-42959) TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound incorrectly handled delegation processing in certain situations. A remote attacker could possibly use this issue to poison the DNS cache and obtain sensitive information. (CVE-2026-42960) Qifan Zhang discovered that Unbound did not properly bound name compression in certain cases. A remote attacker could possibly use this issue to cause Unbound to use excessive resources, leading to a denial of service. (CVE-2026-44390) Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ handling. A remote attacker could possibly use this issue to cause Unbound to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-44608)
Recommended actions per Ubuntu release
StackPatch playbook auto-generated per release codename and per affected package.
Ubuntu bionic
unbound→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound-dev→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound2→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound2
Most apt upgrades restart their service automatically. needrestart lists anything else.
python-unbound→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-unbound→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-anchor→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-anchor
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-host→1.6.7-1ubuntu2.6+esm4apt_upgradeStandard apt upgrade. Install 1.6.7-1ubuntu2.6+esm4 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-host
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu focal
unbound→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound-dev→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound8→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound8
Most apt upgrades restart their service automatically. needrestart lists anything else.
python-unbound→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
python3-unbound→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python3-unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-anchor→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-anchor
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-host→1.9.4-2ubuntu1.11+esm1apt_upgradeStandard apt upgrade. Install 1.9.4-2ubuntu1.11+esm1 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-host
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu trusty
unbound→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound-dev→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound2→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound2
Most apt upgrades restart their service automatically. needrestart lists anything else.
python-unbound→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-anchor→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-anchor
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-host→1.4.22-1ubuntu4.14.04.3+esm3apt_upgradeStandard apt upgrade. Install 1.4.22-1ubuntu4.14.04.3+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-host
Most apt upgrades restart their service automatically. needrestart lists anything else.
Ubuntu xenial
unbound→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound-dev→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound-dev
Most apt upgrades restart their service automatically. needrestart lists anything else.
libunbound2→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y libunbound2
Most apt upgrades restart their service automatically. needrestart lists anything else.
python-unbound→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y python-unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-anchor→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-anchor
Most apt upgrades restart their service automatically. needrestart lists anything else.
unbound-host→1.5.8-1ubuntu1.1+esm3apt_upgradeStandard apt upgrade. Install 1.5.8-1ubuntu1.1+esm3 from the apt repo.
sudo apt-get update sudo apt-get install --only-upgrade -y unbound-host
Most apt upgrades restart their service automatically. needrestart lists anything else.
Are YOU affected by USN-8282-2?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether USN-8282-2 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.