-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:10.unbound Security Advisory
The FreeBSD Project
Topic: Cache poison in local-unbound service
Category: contrib
Module: unbound
Announced: 2025-11-26
Credits: Yuxiao Wu, Yunyi Zhang, Baojun Liu, Haixin Duan Yang Luo,
and JianJun Chen from Tsinghua University along with TaoFei
Guo from Peking University.
Affects: All supported versions of FreeBSD.
Corrected: 2025-11-26 16:00:04 UTC (stable/15, 15.0-STABLE)
2025-11-26 16:13:20 UTC (releng/15.0, 15.0-RC4-p1)
2025-11-26 16:01:01 UTC (stable/14, 14.3-STABLE)
2025-11-26 16:13:30 UTC (releng/14.3, 14.3-RELEASE-p6)
2025-11-26 16:02:40 UTC (stable/13, 13.5-STABLE)
2025-11-26 16:13:41 UTC (releng/13.5, 13.5-RELEASE-p7)
CVE Name: CVE-2025-11411
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Unbound is a validating, recursive, and caching DNS resolver included in the
FreeBSD base system as an optional service called 'local_unbound'.
II. Problem Description
Promiscuous NS RRSets that complement DNS replies in the authority section
can be used to trick resolvers to update their delegation information for the
zone. Usually these RRSets are used to update the resolver's knowledge of
the zone's name servers. If a malicious actor is able to attach such records
in a reply they would be able to poison Unbound's cache for the delegation
point.
III. Impact
A malicious actor can exploit the possible poisonous effect by injecting NS
RRSets (and possibly their respective address records) in a reply. This
could be done, for example, by trying to spoof a packet or fragmentation
attacks.
Unbound would then proceed to update the NS RRSet data it already has since
the new data has enough trust for it, i.e., in-zone data for the delegation
point.
FreeBSD 15.0 release candidates previously included a fix to mitigate the
poison attempt. This advisory includes an additional fix to mitigate a
poison attempt through YXDOMAIN and nodata non-referral answers.
This advisory includes patches for FreeBSD 14.3-RELEASE and 13.5-RELEASE that
cover both the original fix and the additional fix.
IV. Workaround
No workaround is available. Systems not leveraging the local-unbound service
are unaffected. Check 'sysrc local_unbound_enable' and
'ps ax | grep local-unbound' to see if it is enabled and running.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# service local_unbound restart
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-25:10/unbound-15.patch
# fetch https://security.FreeBSD.org/patches/SA-25.10/unbound-15.patch.asc
# gpg --verify unbound-15.patch.asc
[FreeBSD 14.3, FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:10/unbound-13and14.patch
# fetch https://security.FreeBSD.org/patches/SA-25.10/unbound-13and14.patch.asc
# gpg --verify unbound-13and14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ b01f35a4e19d stable/15-n281339
releng/15.0/ dabd406d99a9 releng/15.0-n280990
stable/14/ cd40a23fb249 stable/14-n272947
releng/14.3/ 18c4eb2cc642 releng/14.3-n271451
stable/13/ 2aed524b2329 stable/13-n259573
releng/13.5/ 9b0808259a8a releng/13.5-n259183
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmknL1AACgkQbljekB8A
Gu+RNg/7Bc6vJo+NxKwMhwRO5kp0zzWLEPTgsHZXfzhNfoxg1Yie7tIeYPbYLS0E
ZQ677a8Th1QhmkdvBDG83sNqPJXYpvai3s8SZxhie8sLPZQA1JFINOEgXo3Wvfyl
9hZ+QdN8DtgZVA4yWFKVm018RefqUAsyd7e5Mw9ci6CHrTbzbjjxcGLEhatwfn/q
ALfI17WT9wPeYyP1HnC6yT0eGzyPlg+2aZCQsEdfJOjnH3ycWK54Ucy4TF2prQss
+XOLXOHQ17HJFYymQshwPbME3O9jDRPnRuszTY+W51Yqq4XH/Vc+4pAXuLaJeFVj
g0krR3aamoRO4fM/X/k+tH49dN6wEduE6lf3PzQIqxeudmK8f7rsTmI8kHUPl+EU
6alEWN0kCC/g1LYPFX48LQ++ZH80I5PaodsUHanTVz2j19uMfqxLwmAjeOhtY1JW
bqE12KmHArRQnOIfod1qWOEx1Bm9vAXCuMH7Wh5VjQf71MaNcZdbTtmuEC5g1+yO
mcBZ2KoGUJvyN5Q7+RyLakcq0Ma+4/MbDcHMxSLoEYAWgivdH99svvDb4s4AGqmD
VE7j2HiU1vOfLn/q8y4ZQYT5iXyIIXYEuTbM2Gs/C3bIy4Ke9DDt7m/JBM8rW0Fo
hEomWA9nhage5U/10/YaIWwsre63gvCTMi2B5v6RlNR/Efkq3OY=
=QjfE
-----END PGP SIGNATURE-----