{"id":"CVE-2019-16866","details":"Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIFY query. The source IP address of the query must match an access-control rule.","modified":"2026-03-20T11:28:34.938563Z","published":"2019-10-03T19:15:09.550Z","related":["MGASA-2019-0317","openSUSE-SU-2024:11005-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E65NCWZZB2D75ZIYWPXKMVGSGNYW4JMC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MLRHE7TQFAOV4MB2ELTOGESZYUL65NUJ/"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Oct/23"},{"type":"ADVISORY","url":"https://github.com/NLnetLabs/unbound/blob/release-1.9.4/doc/Changelog"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4149-1/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4544"},{"type":"FIX","url":"https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nlnetlabs/unbound","events":[{"introduced":"0"},{"fixed":"b60c4a472c856f0a98120b7259e991b3a6507eb5"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.9.4"}]}}],"versions":["final-svn-state","release-0.0","release-0.1","release-0.10","release-0.11","release-0.3","release-0.4","release-0.5","release-0.6","release-0.7","release-0.8","release-1.0.1","release-1.1.1","release-1.3.1","release-1.3.2","release-1.3.3","release-1.3.3rc1","release-1.4.0","release-1.4.0rc1","release-1.4.1","release-1.4.11","release-1.4.11rc1","release-1.4.11rc2","release-1.4.11rc3","release-1.4.12rc1","release-1.4.13","release-1.4.13rc1","release-1.4.13rc2","release-1.4.14","release-1.4.14rc1","release-1.4.17","release-1.4.17rc1","release-1.4.18rc1","release-1.4.18rc2","release-1.4.19","release-1.4.19rc1","release-1.4.2","release-1.4.20","release-1.4.22","release-1.4.22rc1","release-1.4.3","release-1.4.4","release-1.4.4rc1","release-1.4.5","release-1.4.5rc1","release-1.4.6","release-1.4.6rc1","release-1.4.7","release-1.4.7rc1","release-1.4.8rc1","release-1.4.9","release-1.4.9rc1","release-1.5.0rc1","release-1.5.1","release-1.5.10","release-1.5.10rc1","release-1.5.1rc1","release-1.5.1rc2","release-1.5.2","release-1.5.2rc1","release-1.5.3rc1","release-1.5.4","release-1.5.4rc1","release-1.5.5","release-1.5.5rc1","release-1.5.6","release-1.5.6rc1","release-1.5.7","release-1.5.8","release-1.5.8rc1","release-1.5.9rc1","release-1.6.0rc1","release-1.6.1rc1","release-1.6.1rc2","release-1.6.1rc3","release-1.6.2rc1","release-1.6.4rc1","release-1.6.4rc2","release-1.6.6rc1","release-1.6.6rc2","release-1.6.7","release-1.6.7rc1","release-1.7.0rc1","release-1.7.0rc2","release-1.7.0rc3","release-1.7.1rc1","release-1.7.2rc1","release-1.7.3rc1","release-1.8.0rc1","release-1.8.1rc1","release-1.8.2rc1","release-1.9.0rc1","release-1.9.1rc1","release-1.9.2","release-1.9.2rc1","release-1.9.2rc2","release-1.9.2rc3","release-1.9.3","release-1.9.3rc1","release-1.9.3rc2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-16866.json","vanir_signatures":[{"deprecated":false,"target":{"file":"util/data/msgparse.c","function":"parse_edns_from_pkt"},"source":"https://github.com/nlnetlabs/unbound/commit/b60c4a472c856f0a98120b7259e991b3a6507eb5","digest":{"length":1189,"function_hash":"108668804525512968521245781772799358515"},"signature_type":"Function","signature_version":"v1","id":"CVE-2019-16866-a87db40c"},{"deprecated":false,"target":{"file":"util/data/msgparse.c"},"source":"https://github.com/nlnetlabs/unbound/commit/b60c4a472c856f0a98120b7259e991b3a6507eb5","digest":{"line_hashes":["292524766814039243193904328654959074879","190926310423276515140667372296911008744","27514708243843590347563265495800561936","321487332142836091478680797073649085277","177862212439668206665125480104738939871","304073190949653618221352769714700421182","199722816380111729655073334388716968684","233512743183297187893823043763183726154","76661932854880288768020708891397209453","66006337680159787882268731652111930503","60537033214054800082483590096565279745","238432217213848269294299437068420066889","312452348986823874315585376232563627845","296348926669326276626544425712432599022","74495676082743279379696710893359824232"],"threshold":0.9},"signature_type":"Line","signature_version":"v1","id":"CVE-2019-16866-b0fea212"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"19.04"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}