CVE-2025-11411

NameCVE-2025-11411
DescriptionNLnet Labs Unbound up to and including version 1.24.1 is vulnerable to ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4365-1, DLA-4365-2, DSA-6071-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unbound (PTS)bullseye1.13.1-1+deb11u2vulnerable
bullseye (security)1.13.1-1+deb11u7fixed
bookworm1.17.1-2+deb12u4fixed
bookworm (security)1.17.1-2+deb12u3vulnerable
trixie (security), trixie1.22.0-2+deb13u1fixed
forky, sid1.24.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unboundsourcebullseye1.13.1-1+deb11u7DLA-4365-2
unboundsourcebookworm1.17.1-2+deb12u4
unboundsourcetrixie1.22.0-2+deb13u1DSA-6071-1
unboundsource(unstable)1.24.2-1

Notes

https://www.nlnetlabs.nl/downloads/unbound/CVE-2025-11411.txt
Fixed by: https://github.com/NLnetLabs/unbound/commit/a33f0638e1dacf2633cf2292078a674576bca852 (release-1.24.1)
The original fix for CVE-2025-11411 was incomplete and required a followup
(cf. https://bugs.debian.org/1121446) to include YXDOMAIN and non-referral
nodata answers in the mitigation as well:
Followup: https://github.com/NLnetLabs/unbound/commit/f6269baa605d31859f28770e01a24e3677e5f82c (release-1.24.2)
Search for package or bug name: Reporting problems