The CVE number for this vulnerability is CVE-2024-1931. == Summary Recent versions of Unbound contain a vulnerability that can cause denial of service by a certain code path that can lead to an infinite loop. This issue can only be triggered if the non-default option 'ede: yes' is used, Unbound would reply with attached EDE information on a positive reply, and the client's buffer size is relatively smaller than the needed space to include EDE records. == Affected products Unbound 1.18.0 up to and including 1.19.1. == Description Unbound 1.18.0 introduced a feature that removes EDE records from responses with size higher than the client's advertised buffer size. Before removing all the EDE records however, it would try to see if trimming the extra text fields on those records would result in an acceptable size while still retaining the EDE codes. Due to an unchecked condition, the code that trims the text of the EDE records could loop indefinitely. This happens when Unbound would reply with attached EDE information on a positive reply and the client's buffer size is smaller than the needed space to include EDE records. This issue can only be triggered when the below condition is met: * Unbound is configured with 'ede: yes' (non-default). == Solution Either disable ede support with 'ede: no' (default configuration), or download a patched version of Unbound, or apply the patch manually. + Downloading patched version Unbound 1.19.2 is released with the patch https://nlnetlabs.nl/downloads/unbound/unbound-1.19.2.tar.gz + Applying the patch manually For Unbound 1.18.0 up to and including 1.19.1 the patch is: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-1931.diff Apply the patch on the Unbound source directory with: 'patch -p1 < patch_CVE-2024-1931.diff' then run 'make install' to install Unbound. == Acknowledgments We would like to thank Fredrik Pettai and Patrik Lundin from SUNET for notifying us about the issue and working with us to identify the vulnerability.