-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-25:10.unbound Security Advisory
The FreeBSD Project
Topic: Cache poison in local-unbound service
Category: contrib
Module: unbound
Announced: 2025-11-26
Credits: Yuxiao Wu, Yunyi Zhang, Baojun Liu, Haixin Duan, Yang Luo,
and JianJun Chen from Tsinghua University along with TaoFei
Guo from Peking University.
Affects: All supported versions of FreeBSD.
Corrected: 2025-11-26 16:00:04 UTC (stable/15, 15.0-STABLE)
2025-11-26 16:13:20 UTC (releng/15.0, 15.0-RC4-p1)
2025-11-26 16:01:01 UTC (stable/14, 14.3-STABLE)
2025-11-26 16:13:30 UTC (releng/14.3, 14.3-RELEASE-p6)
2025-11-26 16:02:40 UTC (stable/13, 13.5-STABLE)
2025-11-26 16:13:41 UTC (releng/13.5, 13.5-RELEASE-p7)
CVE Name: CVE-2025-11411
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Unbound is a validating, recursive, and caching DNS resolver included in the
FreeBSD base system as an optional service called 'local_unbound'.
II. Problem Description
Promiscuous NS RRSets that complement DNS replies in the authority section
can be used to trick resolvers to update their delegation information for the
zone. Usually these RRSets are used to update the resolver's knowledge of
the zone's name servers. If a malicious actor is able to attach such records
in a reply they would be able to poison Unbound's cache for the delegation
point.
III. Impact
A malicious actor can exploit the possible poisonous effect by injecting NS
RRSets (and possibly their respective address records) in a reply. This
could be done, for example, by trying to spoof a packet or fragmentation
attacks.
Unbound would then proceed to update the NS RRSet data it already has since
the new data has enough trust for it, i.e., in-zone data for the delegation
point.
FreeBSD 15.0 release candidates previously included a fix to mitigate the
poison attempt. This advisory includes an additional fix to mitigate a
poison attempt through YXDOMAIN and nodata non-referral answers.
This advisory includes patches for FreeBSD 14.3-RELEASE and 13.5-RELEASE that
cover both the original fix and the additional fix.
IV. Workaround
No workaround is available. Systems not leveraging the local-unbound service
are unaffected. Check 'sysrc local_unbound_enable' and
'ps ax | grep local-unbound' to see if it is enabled and running.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:
# freebsd-update fetch
# freebsd-update install
# service local_unbound restart
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-25:10/unbound-15.patch
# fetch https://security.FreeBSD.org/patches/SA-25.10/unbound-15.patch.asc
# gpg --verify unbound-15.patch.asc
[FreeBSD 14.3, FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/SA-25:10/unbound-13and14.patch
# fetch https://security.FreeBSD.org/patches/SA-25.10/unbound-13and14.patch.asc
# gpg --verify unbound-13and14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ b01f35a4e19d stable/15-n281339
releng/15.0/ dabd406d99a9 releng/15.0-n280990
stable/14/ cd40a23fb249 stable/14-n272947
releng/14.3/ 18c4eb2cc642 releng/14.3-n271451
stable/13/ 2aed524b2329 stable/13-n259573
releng/13.5/ 9b0808259a8a releng/13.5-n259183
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmko9iIACgkQbljekB8A
Gu+EtQ//fPkMggHwUnu6iWiKbqv0b+KD0viWbgBt92S4HAvqNN2jXxZiLt59pLCM
S9hHICLvS2qxdg4NLwAZU/O/7M4k6OvuSDlVcVEixlXXGsKskUF3cvrW+FfSGRD2
/mUtcUJYLeGF8NBTlmj6oMpRgC0IMNspEXJVYvmP12uyzAKUDrIku1t0jC0qMKvs
fVfM6/ElqKFrYoKlIVYlPcCF8BB/CwMWooZmIDhb1g2OUsAnGP9E+NekFIIVWZhM
hkLjL+9JQK8wLCDOD8M+/Z/1F++RvJy5mBUvYGZeD5LWXB+ruUddGL2AmRd0NJPF
G1V4TR9deMlpm8Oc7PDobMrtZxP1L7rIs5ZV9ydqOiy6vvDfL+9fDTqoefz2RSn0
CvS+5DZSWWY+Q7/up8e8XnIA7b0DDC9+8IokVgWg9kA3KPeZ6kIpJVBb1PjOwdih
58QeGzLEwE96e6wMgSHBNqd46BMyCbbLrY2eya8qNZNfrQa1OY/xDWA1wLAlCQBd
5BcfB12wA3xai0UbpPwQswP+5KtEk1aHfIkema0LZfgroxCwi4oDC2rY2vXtFYxR
dOl0UalXfc1oeJ2lqFS0lvxwUq4J+Ygt8MYN5IWGeLl5Ra+VbA5YsMKDEGVeXIqV
y0qmomM5eT+VZXsYSIafv4QQCThwJpTLo2MIQrQ8LFcealxSFUk=
=i5jo
-----END PGP SIGNATURE-----