Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Debian LTS: Unbound Critical Cache Poisoning Vulnerability DLA-4365-1

debian lts
Calendar Grey November 5, 2025
Dist Debian Esm H88
Unbound DNS resolver vulnerable to cache poisoning; upgrade recommended for Debian 11 users for security.
Yuxiao Wu, Yunyi Zhang, Baojun Liu and Haixin Duan discovered that unbound, a validating, recursive, and caching DNS resolver, was vulnerable to cache poisoning via NS RRSet inject...

Summary

Promiscuous NS RRSets that complement DNS replies in the authority
section can be used to trick resolvers to update their delegation
information for the zone. Usually these RRSets are used to update the
resolver's knowledge of the zone's name servers. A malicious actor who
is able to attach such records in a reply (i.e., spoofed packet,
fragmentation attack) can poison Unbound's cache for the delegation
point.

The fix scrubs unsolicited NS RRSets (and their respective address
records) from replies, thereby mitigating the possible poison effect.
The protection can be turned off by setting the new configuration option
"iter-scrub-promiscuous" to "no", see unbound.conf(5).

For Debian 11 bullseye, this problem has been fixed in version
1.13.1-1+deb11u6.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/unbound

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: unbound
Version: 1.13.1-1+deb11u6
CVE ID: CVE-2025-11411

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here