Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

NLnet Labs — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting NLnet Labs. AI-powered Chinese analysis, POCs, and references for each vulnerability.

NLnet Labs operates as a non-profit research organization primarily focused on developing open-source software for the Domain Name System (DNS) and internet infrastructure. Its most prominent contribution is Unbound, a validating, recursive, and caching DNS resolver widely deployed for its emphasis on security and privacy. Historically, vulnerabilities associated with its software have predominantly involved memory corruption issues, such as buffer overflows and use-after-free errors, rather than application-layer flaws like cross-site scripting. These defects typically stem from low-level C code implementation details. While no catastrophic, widespread breaches have defined its public history, the presence of twenty recorded CVEs indicates ongoing challenges in maintaining strict memory safety within complex network protocols. The organization generally addresses these findings through prompt patches, reflecting a standard open-source maintenance lifecycle where technical rigor in cryptographic and network logic is prioritized over commercial feature expansion.

Top products by NLnet Labs: unbound Routinator Krill bcder ldns
CVE IDTitleCVSSSeverityPublished
CVE-2026-10846 Insufficient verification that responses belong to a query — ldnsCWE-346--2026-06-10
CVE-2026-49235 Routinator crashes on specifically crafted RRDP XML files — RoutinatorCWE-755--2026-06-08
CVE-2026-49234 Routinator crashes on specifically crafted ASN strings in the API — RoutinatorCWE-20--2026-06-08
CVE-2026-49233 Routinator cache path traversal using rogue rsync URIs — RoutinatorCWE-22--2026-06-08
CVE-2026-49232 Routinator exits when accepting an incoming HTTP or RTR connection fails — RoutinatorCWE-755--2026-06-08
CVE-2026-44608 Use after free and crash under special conditions in RPZ code — UnboundCWE-413--2026-05-20
CVE-2026-44390 Unbounded name compression in certain cases causes degradation of service — UnboundCWE-407--2026-05-20
CVE-2026-42960 Possible cache poisoning via promiscuous records for the authority section — UnboundCWE-349--2026-05-20
CVE-2026-42959 Crash during DNSSEC validation of malicious content — UnboundCWE-824--2026-05-20
CVE-2026-42944 Heap overflow with multiple NSID, COOKIE, PADDING EDNS options — UnboundCWE-197--2026-05-20
CVE-2026-42923 Degradation of service with unbounded NSEC3 hash calculations — UnboundCWE-407--2026-05-20
CVE-2026-42534 Jostle logic bypass degrades resolution performance — UnboundCWE-440--2026-05-20
CVE-2026-41292 Long list of incoming EDNS options degrades performance — UnboundCWE-407--2026-05-20
CVE-2026-40622 Another 'ghost domain names' attack variant — Unbound--2026-05-20
CVE-2026-33278 Possible arbitrary code execution during DNSSEC validation — UnboundCWE-416--2026-05-20
CVE-2026-32792 Packet of death with DNSCrypt — UnboundCWE-166--2026-05-20
CVE-2025-11411 Possible domain hijacking via promiscuous records in the authority section — UnboundCWE-349 7.5AIHighAI2025-10-22
CVE-2025-5994 Cache poisoning via the ECS-enabled Rebirthday Attack — UnboundCWE-349 5.3 -2025-07-16
CVE-2025-0638 Routinator crashes when illegal characters are present in manifest file names — RoutinatorCWE-1286 7.5 High2025-01-22
CVE-2024-8508 Unbounded name compression could lead to Denial of Service — UnboundCWE-606 5.3 Medium2024-10-03
CVE-2024-1931 Denial of service when trimming EDE text on positive replies — UnboundCWE-835 7.5 High2024-03-07
CVE-2024-1622 Routinator terminates when RTR connection is reset too quickly after opening — RoutinatorCWE-253 7.5 High2024-02-26
CVE-2023-39916 Possible path traversal when storing RRDP responses — RoutinatorCWE-35 9.3 Critical2023-09-13
CVE-2023-39915 Crashes on parsing certain invalid RPKI objects — RoutinatorCWE-232 7.5 High2023-09-13
CVE-2023-39914 BER/CER/DER decoder panics on invalid input — bcderCWE-232 7.5 High2023-09-13
CVE-2023-0158 Triggered crash on direct RRDP access — KrillCWE-248 6.5 -2023-01-17
CVE-2022-3204 NRDelegation Attack — Unbound 7.5 -2022-09-26
CVE-2022-3029 Fatal error on incorrect base64 data in RRDP — RoutinatorCWE-241 7.5 -2022-09-13
CVE-2022-30699 Novel "ghost domain names" attack by updating almost expired delegation information — Unbound 6.5 -2022-08-01
CVE-2022-30698 Novel "ghost domain names" attack by introducing subdomain delegations — Unbound 6.5 -2022-08-01

This page lists every published CVE security advisory associated with NLnet Labs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.