Another 'ghost domain names' attack variant
Summary
| CVE | CVE-2026-40622 |
|---|---|
| State | PUBLISHED |
| Assigner | NLnet Labs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-20 10:16:26 UTC |
| Updated | 2026-05-26 18:28:04 UTC |
| Description | NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust. |
Risk And Classification
Primary CVSS: v4.0 6.6 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
EPSS: 0.000200000 probability, percentile 0.058250000 (date 2026-05-27)
Problem Types: CWE-346 | CWE-346 CWE-346 Origin Validation Error
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.6 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/C... |
| 4.0 | CNA | CVSS | 6.6 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U... |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
HighAvailability
NoneSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | NLnet Labs | Unbound | affected 1.16.2 1.25.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt | [email protected] | www.nlnetlabs.nl | Vendor Advisory, Patch |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Qifan Zhang (Palo Alto Networks) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-28T00:00:00.000Z | Issue reported by Qifan Zhang |
| CNA | 2026-05-07T00:00:00.000Z | NLnet Labs shares patch |
| CNA | 2026-05-08T00:00:00.000Z | Qifan Zhang verifies patch |
| CNA | 2026-05-20T00:00:00.000Z | Fixes released with version 1.25.1 |
Solutions
CNA: This issue is fixed starting with version 1.25.1
There are currently no legacy QID mappings associated with this CVE.