Login Sign Up

CVE-2019-25032

9.8 CRITICAL

📋 TL;DR

CVE-2019-25032 is an integer overflow vulnerability in Unbound DNS resolver's regional allocator that could allow memory corruption. The vendor disputes exploitability, stating running installations cannot be remotely or locally exploited. Systems running Unbound before version 1.9.5 are affected.

💻 Affected Systems

Products:
  • Unbound DNS resolver
Versions: All versions before 1.9.5
Operating Systems: Linux, BSD, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: The vendor disputes that this is a vulnerability in practice, though the code contains the flaw.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Unbound by Nlnetlabs

View all CVEs affecting Unbound →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Theoretical remote code execution leading to complete system compromise if the integer overflow could be triggered to corrupt memory.

🟠

Likely Case

Denial of service through application crash if the vulnerability could be triggered, though vendor disputes practical exploitability.

🟢

If Mitigated

Minimal impact given vendor's position that running installations cannot be exploited, but potential for DoS in edge cases.

🌐 Internet-Facing: LOW
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

No known exploits exist; vendor states running installations cannot be exploited remotely or locally.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.5 and later

Vendor Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2019-25032.txt

Restart Required: Yes

Instructions:

1. Download Unbound 1.9.5 or later from nlnetlabs.nl. 2. Stop Unbound service. 3. Install the new version. 4. Restart Unbound service.

🔧 Temporary Workarounds

Restrict network access

linux

Limit Unbound to trusted networks only

iptables -A INPUT -p tcp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 53 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j DROP
iptables -A INPUT -p udp --dport 53 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Unbound servers
  • Monitor for unusual process crashes or memory usage patterns

🔍 How to Verify

Check if Vulnerable:

Check Unbound version with 'unbound -V' or 'unbound -h' and verify it's below 1.9.5

Check Version:

unbound -V

Verify Fix Applied:

Confirm version is 1.9.5 or higher with 'unbound -V'

📡 Detection & Monitoring

Log Indicators:

  • Unbound process crashes
  • Memory allocation errors in system logs

Network Indicators:

  • Unusual DNS query patterns attempting to trigger memory allocation

SIEM Query:

source="unbound.log" AND ("crash" OR "segmentation fault" OR "memory allocation")

📊 Metadata

CVE ID: CVE-2019-25032
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: April 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25032, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)