CVE & CISA-KEV Catalog

CVE-2025-11411

UNSCORED

Description

NLnet Labs Unbound up to and including version 1.24.1 is vulnerable to possible domain hijack attacks. Promiscuous NS RRSets that complement positive DNS replies in the authority section can be used to trick resolvers to update their delegation information for the zone. Usually these RRSets are used to update the resolver's knowledge of the zone's name servers. A malicious actor can exploit the possible poisonous effect by injecting NS RRSets (and possibly their respective address records) in a reply. This could be done for example by trying to spoof a packet or fragmentation attacks. Unbound would then proceed to update the NS RRSet data it already has since the new data has enough trust for it, i.e., in-zone data for the delegation point. Unbound 1.24.1 includes a fix that scrubs unsolicited NS RRSets (and their respective address records) from replies mitigating the possible poison effect. Unbound 1.24.2 includes an additional fix that scrubs unsolicited NS RRSets (and their respective address records) from YXDOMAIN and non-referral nodata replies, further mitigating the possible poison effect.

How to fix

Remediation Available
unboundDebian
Fixed in:1.13.1-1+deb11u7CVE-2025-11411
Fixed in:1.17.1-2+deb12u4CVE-2025-11411
Fixed in:1.22.0-2+deb13u1CVE-2025-11411
Fixed in:1.24.2-1CVE-2025-11411
python3-unboundRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
python3-unboundRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
python3-unbound-debuginfoRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
python3-unbound-debuginfoRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unboundRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unboundRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-anchorRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-anchorRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-anchor-debuginfoRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-anchor-debuginfoRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-debuginfoRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-debuginfoRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-debugsourceRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-debugsourceRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-develRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-develRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-dracutRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-dracutRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-libsRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-libsRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-libs-debuginfoRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-libs-debuginfoRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
Fixed in:0:1.24.2-2.el9RHSA-2026:18931
unbound-utilsRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-utilsRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-utils-debuginfoRed Hat / RHEL
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
unbound-utils-debuginfoRocky
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
Fixed in:0:1.24.2-7.el10RHSA-2026:18556
libunbound8Ubuntu
Fixed in:1.13.1-1ubuntu5.14USN-7855-2
Fixed in:1.13.1-1ubuntu5.13USN-7855-1
Fixed in:1.19.2-1ubuntu3.6USN-7855-1
Fixed in:1.19.2-1ubuntu3.7USN-7855-2
Fixed in:1.22.0-2ubuntu2.2USN-7855-2
Fixed in:1.22.0-2ubuntu2.1USN-7855-1
unboundUbuntu
Fixed in:1.13.1-1ubuntu5.13USN-7855-1
Fixed in:1.13.1-1ubuntu5.14USN-7855-2
Fixed in:1.19.2-1ubuntu3.7USN-7855-2
Fixed in:1.19.2-1ubuntu3.6USN-7855-1
Fixed in:1.22.0-2ubuntu2.1USN-7855-1
Fixed in:1.22.0-2ubuntu2.2USN-7855-2

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3.1 Vector

No CVSS vector data available.

Exploit Intelligence

0.31%probability of exploitation in 30 days
23rdpercentile

Low risk: more likely to be exploited than 23% of all known CVEs.

References

Embed a live status badge for CVE-2025-11411
CVE-2025-11411 severity badge

Markdown

[![CVE-2025-11411](https://tridentstack.com/cve/badge/CVE-2025-11411.svg)](https://tridentstack.com/cve/CVE-2025-11411)

HTML

<a href="https://tridentstack.com/cve/CVE-2025-11411"><img src="https://tridentstack.com/cve/badge/CVE-2025-11411.svg" alt="CVE-2025-11411"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-12-05.