Unbound 1.23.1 released

Wouter Wijngaards wouter at nlnetlabs.nl
Wed Jul 16 09:17:38 UTC 2025


Hi,

Unbound 1.23.1 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.23.1.tar.gz
sha256 6a6b117c799d8de3868643397e0fd71591f6d42f4473f598bdb22609ff362590
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.23.1.tar.gz.asc

This security release fixes the Rebirthday Attack CVE-2025-5994.

This re-opens up resolvers to a birthday paradox, for EDNS client subnet 
servers that respond with non-ECS answers. It only affects Unbound when 
compiled with --enable-subnet, and subnetmod is enabled with config 
options that send ECS information to upstream servers.

The CVE is described here
https://nlnetlabs.nl/downloads/unbound/CVE-2025-5994.txt

We would like to thank Xiang Li (AOSP Lab, Nankai University) for
discovering and responsibly disclosing the vulnerability.

Bug Fixes:
- Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from
   AOSP Lab Nankai University.

Best regards, Wouter


More information about the Unbound-users mailing list