Packages
- unbound - validating, recursive, caching DNS resolver
Details
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-40622)
Qifan Zhang discovered that Unbound did not properly limit processing of
long EDNS option lists. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-41292)
Qifan Zhang discovered that Unbound incorrectly handled jostle logic under
certain circumstances. A remote attacker could possibly use this issue to
cause Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42534)
Qifan Zhang discovered that Unbound did not properly bound NSEC3 hash
calculations. A remote attacker could possibly use this issue to cause
Unbound to use excessive resources, leading to a denial of service.
(CVE-2026-42923)
Qifan Zhang discovered that Unbound incorrectly handled multiple EDNS
options in certain situations. A remote attacker could possibly use this
issue to cause Unbound to crash, resulting in a denial of service, or
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS, Ubuntu
25.10, and Ubuntu 26.04 LTS. (CVE-2026-42944)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
of malicious content. A remote attacker could possibly use this issue to
cause Unbound to crash, resulting in a denial of service.
(CVE-2026-42959)
TaoFei Guo, Yang Luo, and JianJun Chen discovered that Unbound
incorrectly handled delegation processing in certain situations. A remote
attacker could possibly use this issue to poison the DNS cache and obtain
sensitive information. (CVE-2026-42960)
Qifan Zhang discovered that Unbound did not properly bound name
compression in certain cases. A remote attacker could possibly use this
issue to cause Unbound to use excessive resources, leading to a denial of
service. (CVE-2026-44390)
Qifan Zhang discovered that Unbound had a use-after-free issue in RPZ
handling. A remote attacker could possibly use this issue to cause Unbound
to crash, resulting in a denial of service, or execute arbitrary code.
This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04
LTS. (CVE-2026-44608)
Update instructions
In general, a standard system update will make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 20.04 LTS focal | libunbound8 – 1.9.4-2ubuntu1.11+esm1 | ||
| unbound – 1.9.4-2ubuntu1.11+esm1 | |||
| 18.04 LTS bionic | libunbound2 – 1.6.7-1ubuntu2.6+esm4 | ||
| unbound – 1.6.7-1ubuntu2.6+esm4 | |||
| 16.04 LTS xenial | libunbound2 – 1.5.8-1ubuntu1.1+esm3 | ||
| unbound – 1.5.8-1ubuntu1.1+esm3 | |||
| 14.04 LTS trusty | libunbound2 – 1.4.22-1ubuntu4.14.04.3+esm3 | ||
| unbound – 1.4.22-1ubuntu4.14.04.3+esm3 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.