The CVE number for this vulnerability is CVE-2019-16866 == Summary Recent versions of Unbound contain a problem that may cause Unbound to crash after receiving a specially crafted query. This issue can only be triggered by queries received from addresses allowed by Unbound's ACL. == Affected products Unbound 1.7.1 up to and including 1.9.3. == Description Due to an error in parsing NOTIFY queries, it is possible for Unbound to continue processing malformed queries and may ultimately result in a pointer dereference in uninitialized memory. This results in a crash of the Unbound daemon. Whether this issue leads to a crash depends on the content of the uninitialized memory space and cannot be predicted. This issue can only be triggered by queries received from addresses that are allowed to send queries according to Unbound's ACL (access-control in the Unbound configuration). == Solution Download patched version of Unbound, or apply the patch manually. + Downloading patched version Unbound 1.9.4 is released with the patch https://nlnetlabs.nl/downloads/unbound/unbound-1.9.4.tar.gz + Applying the Patch manually For Unbound 1.7.1 up to and including 1.9.3 the patch is: https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-16866.diff Apply the patch on Unbound source directory with: 'patch -p0 < patch_cve_2019-16866.diff' then run 'make install' to install Unbound. == Acknowledgments We would like to thank X41 D-Sec for notifying us about this vulnerability and OSTIF for sponsoring the Unbound security audit.