CVE-2026-40622

Severity CVSS v4.0:

MEDIUM

Type:

Unavailable / Other

Publication date:

20/05/2026

Last modified:

20/05/2026

Description

NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the &#39;ghost domain names&#39; family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other &#39;ghost domain names&#39; attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value (&#39;cache-max-ttl&#39;). In configurations where &#39;harden-referral-path: yes&#39; is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.

Impact

Vector 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber CVSS v4.0 Severity and Metrics:

Base Score: 6.60 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): None
User Interaction (UI): None
Confidentiality (VC): None
Integrity (VI): High
Availability (VA): None
Confidentiality (SC): None
Integrity (SI): None
Availability (SA): None
Provider Urgency (U): Amber
Exploit Maturity (E): Unreported

Base Score 4.0

6.60

Severity 4.0

MEDIUM

References to Advisories, Solutions, and Tools

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-40622.txt