CVE-2026-40622
Description
NLnet Labs Unbound 1.16.2 up to and including version 1.25.0 has a vulnerability of the 'ghost domain names' family of attacks that could extend the ghost domain window by up to one cached TTL configured value. Similar to other 'ghost domain names' attacks, an adversary needs to control a (ghost) zone and be able to query a vulnerable Unbound. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset and essentially extend the ghost domain window by up to one cached TTL configured value ('cache-max-ttl'). In configurations where 'harden-referral-path: yes' is used (non-default configuration), no client NS query is required since Unbound implicitly performs that query. Unbound 1.25.1 contains a patch with a fix that does not allow extension of TTLs for (parent) NS records regardless of their trust.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unbound 1.16.2 through 1.25.0 allows an attacker controlling a ghost zone to extend the ghost domain window by up to one configured TTL via a single NS query.
Vulnerability
Unbound versions 1.16.2 up to and including 1.25.0 are affected by a vulnerability in the 'ghost domain names' family of attacks [1]. The bug allows an adversary who controls a (ghost) zone and can query a vulnerable Unbound instance to extend the ghost domain window by up to one configured cache-max-ttl value [1]. A single client NS query can cause Unbound to overwrite the cached expired parent-side referral NS rrset with the child-side apex NS rrset [1].
Exploitation
An adversary must control a ghost zone and be able to send queries to a vulnerable Unbound resolver [1]. In the default configuration, a single client NS query triggers the overwrite [1]. If the non-default option harden-referral-path: yes is enabled, no client NS query is needed because Unbound implicitly performs that query [1].
Impact
By extending the ghost domain window by up to one TTL period, the attacker can continue to serve forged DNS data from the ghost zone longer than intended [1]. This can lead to prolonged domain hijacking and potential redirection of traffic to attacker-controlled hosts, undermining DNS integrity [1].
Mitigation
The vulnerability is fixed in Unbound 1.25.1, which does not allow extension of TTLs for parent NS records regardless of their trust [1]. For users on version 1.25.0, a patch (patch_CVE-2026-40622.diff) is available from NLnet Labs [1]. Users should upgrade to 1.25.1 or apply the patch and run make install [1]. No workaround for earlier versions is mentioned in the available references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
18d8fa4226613- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
2 files changed · +12 −0
doc/Changelog+2 −0 modified@@ -8,6 +8,8 @@ content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths from 'calif.io' for the report. + - Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan + Zhang, Palo Alto Networks, for the report. 23 April 2026: Wouter - Merge #1441: Fix buffer overrun in
services/cache/rrset.c+10 −0 modified@@ -149,6 +149,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns) if(equal && !TTL_IS_EXPIRED(cached->ttl, timenow) && cached->security == sec_status_bogus) return 0; + /* ghost-domain: never let an NS overwrite extend lifetime + * past the entry it replaces, regardless of trust. */ + if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) && + newd->ttl > cached->ttl) { + size_t i; + newd->ttl = cached->ttl; + for(i=0; i<(newd->count+newd->rrsig_count); i++) + if(newd->rr_ttl[i] > newd->ttl) + newd->rr_ttl[i] = newd->ttl; + } return 1; } /* o item in cache has expired */
Vulnerability mechanics
Root cause
"Missing TTL cap on NS rrset updates allows a child-zone apex NS rrset to overwrite an expired parent-side referral NS rrset with a longer TTL, extending the ghost domain window."
Attack vector
An attacker who controls a ghost zone sends a single NS query to a vulnerable Unbound resolver. The resolver's cache update logic in `need_to_update_rrset` [patch_id=792748] allows the child-zone apex NS rrset to overwrite the cached parent-side referral NS rrset even when the cached entry is expired, and the new rrset's TTL can be larger than the old one. This extends the ghost domain window by up to the configured `cache-max-ttl` value. In configurations with `harden-referral-path: yes` (non-default), the attacker does not need to send the NS query because Unbound performs it implicitly.
Affected code
The vulnerability is in `services/cache/rrset.c` in the `need_to_update_rrset` function [patch_id=792748]. When deciding whether to replace a cached NS rrset, the function did not cap the TTL of the incoming NS rrset to the TTL of the existing cached entry. This affects Unbound versions 1.16.2 through 1.25.0.
What the fix does
The patch adds a check in `need_to_update_rrset` [patch_id=792748] that, when updating an NS rrset (`ns` flag is true) and the cached entry is not yet expired, caps the new TTL to the cached TTL if the new TTL is larger. It also caps each individual rr_ttl value in the new rrset to the same bound. This prevents an attacker from extending the lifetime of a cached NS rrset beyond its original expiration, closing the ghost domain window extension regardless of trust level.
Preconditions
- networkAttacker must be able to send DNS queries to a vulnerable Unbound resolver.
- inputAttacker must control a ghost zone (a zone that no longer exists on the authoritative parent but whose NS records remain cached).
- configNo special configuration required; default settings are vulnerable. With 'harden-referral-path: yes' the attack is even easier as no explicit NS query is needed.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.