{"id":"CVE-2024-8508","details":"NLnet Labs Unbound up to and including version 1.21.0 contains a vulnerability when handling replies with very large RRsets that it needs to perform name compression for. Malicious upstreams responses with very large RRsets can cause Unbound to spend a considerable time applying name compression to downstream replies. This can lead to degraded performance and eventually denial of service in well orchestrated attacks. The vulnerability can be exploited by a malicious actor querying Unbound for the specially crafted contents of a malicious zone with very large RRsets. Before Unbound replies to the query it will try to apply name compression which was an unbounded operation that could lock the CPU until the whole packet was complete. Unbound version 1.21.1 introduces a hard limit on the number of name compression calculations it is willing to do per packet. Packets that need more compression will result in semi-compressed packets or truncated packets, even on TCP for huge messages, to avoid locking the CPU for long. This change should not affect normal DNS traffic.","modified":"2026-03-20T12:40:11.307442Z","published":"2024-10-03T17:15:15.323Z","related":["ALSA-2024:11232","ALSA-2025:0837","ALSA-2025:8047","MGASA-2024-0333","SUSE-SU-2024:3646-1","SUSE-SU-2024:3647-1","SUSE-SU-2025:20126-1","SUSE-SU-2025:20359-1","openSUSE-SU-2024:14391-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00009.html"},{"type":"ADVISORY","url":"https://www.nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2024/10/04/5"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nlnetlabs/unbound","events":[{"introduced":"0"},{"fixed":"b7c61d7cc256d6a174e6179622c7fa968272c259"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.21.1"}]}}],"versions":["1.11.0rc1","final-svn-state","release-0.0","release-0.1","release-0.10","release-0.11","release-0.3","release-0.4","release-0.5","release-0.6","release-0.7","release-0.8","release-1.0.1","release-1.1.1","release-1.10.0rc1","release-1.10.0rc2","release-1.11.0","release-1.11.0rc1","release-1.12.0","release-1.12.0rc1","release-1.13.0rc1","release-1.13.0rc2","release-1.13.0rc3","release-1.13.0rc4","release-1.13.1","release-1.13.1rc1","release-1.13.1rc2","release-1.13.2","release-1.13.2rc1","release-1.14.0","release-1.14.0rc1","release-1.15.0","release-1.15.0rc1","release-1.16.0","release-1.16.0rc1","release-1.16.1","release-1.16.1rc1","release-1.16.2","release-1.16.3","release-1.17.0","release-1.17.0rc1","release-1.17.1","release-1.17.1rc1","release-1.17.1rc2","release-1.18.0","release-1.18.0rc1","release-1.19.0","release-1.19.0rc1","release-1.19.3rc1","release-1.20.0","release-1.20.0rc1","release-1.21.0","release-1.21.0rc1","release-1.3.1","release-1.3.2","release-1.3.3","release-1.3.3rc1","release-1.4.0","release-1.4.0rc1","release-1.4.1","release-1.4.11","release-1.4.11rc1","release-1.4.11rc2","release-1.4.11rc3","release-1.4.12rc1","release-1.4.13","release-1.4.13rc1","release-1.4.13rc2","release-1.4.14","release-1.4.14rc1","release-1.4.17","release-1.4.17rc1","release-1.4.18rc1","release-1.4.18rc2","release-1.4.19","release-1.4.19rc1","release-1.4.2","release-1.4.20","release-1.4.22","release-1.4.22rc1","release-1.4.3","release-1.4.4","release-1.4.4rc1","release-1.4.5","release-1.4.5rc1","release-1.4.6","release-1.4.6rc1","release-1.4.7","release-1.4.7rc1","release-1.4.8rc1","release-1.4.9","release-1.4.9rc1","release-1.5.0rc1","release-1.5.1","release-1.5.10","release-1.5.10rc1","release-1.5.1rc1","release-1.5.1rc2","release-1.5.2","release-1.5.2rc1","release-1.5.3rc1","release-1.5.4","release-1.5.4rc1","release-1.5.5","release-1.5.5rc1","release-1.5.6","release-1.5.6rc1","release-1.5.7","release-1.5.8","release-1.5.8rc1","release-1.5.9rc1","release-1.6.0rc1","release-1.6.1rc1","release-1.6.1rc2","release-1.6.1rc3","release-1.6.2rc1","release-1.6.4rc1","release-1.6.4rc2","release-1.6.6rc1","release-1.6.6rc2","release-1.6.7","release-1.6.7rc1","release-1.7.0rc1","release-1.7.0rc2","release-1.7.0rc3","release-1.7.1rc1","release-1.7.2rc1","release-1.7.3rc1","release-1.8.0rc1","release-1.8.1rc1","release-1.8.2rc1","release-1.9.0rc1","release-1.9.1rc1","release-1.9.2","release-1.9.2rc1","release-1.9.2rc2","release-1.9.2rc3","release-1.9.3","release-1.9.3rc1","release-1.9.3rc2","release-1.9.4","release-1.9.6","release-1.9.6rc1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8508.json","vanir_signatures":[{"signature_type":"Function","id":"CVE-2024-8508-21871d2b","digest":{"function_hash":"132928229611143481398363643724264327581","length":484},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"function":"compress_any_dname","file":"util/data/msgencode.c"}},{"signature_type":"Function","id":"CVE-2024-8508-4716eb5b","digest":{"function_hash":"146156269831183021738807601829942720938","length":1022},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"function":"compress_rdata","file":"util/data/msgencode.c"}},{"signature_type":"Function","id":"CVE-2024-8508-63596646","digest":{"function_hash":"182066590311601143981048775648991258739","length":2337},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"function":"packed_rrset_encode","file":"util/data/msgencode.c"}},{"signature_type":"Function","id":"CVE-2024-8508-927035ea","digest":{"function_hash":"311904588141379192292538188078575241346","length":2645},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"function":"reply_info_encode","file":"util/data/msgencode.c"}},{"signature_type":"Line","id":"CVE-2024-8508-9f916110","digest":{"threshold":0.9,"line_hashes":["120564631066880551455675577921903094372","339496593475017771243365618798147594218","49649077415772925589684867276278318844","68010159497459418170808473969697740923","117394114257984754181849208318071443664","170218451232113858299477798485229030033","177823388851411228201666148896963468109","8135201838948122286678890982725059350","234632087350567154626380858743418435976","225346363238247814482370118454568029873","3847118768249708253665407909306501878","103126291107151968097292970296647423537","338778230085853520552683021590956387110","197946034312538945232268517922713733587","309451204469610124725121325425715448454","74820867705485114409120667102576726571","60532588472771665147078187042012583970","122929138901221355814428914356392473227","111854046294048454400617967775863450234","5790650844769404163817168632502122046","231255661091528992610335761917014081985","109920928605702040229734726185257546035","185251355949101284038535979354298566781","89471402789777164919504104781816331047","254877233377366532070459602194361007762","30366461546578885890323553802570903341","19148490027743938493732891975505528563","133438930071364903920594207310681645441","655096921366747644439142113214554543","144075403906887952104049885071078585681","20805638046689467755369598168086631762","72912621703137613692415047861212320605","80664798180996128157962596288060548770","29502234550884070797599032317249383530","204810704000225392056916132844321408185","20652989962066712873555971820601942669","131251549255881285500021385330535990742","169285327074679372327181937602103529234","307686504733769692904406960885361278410","40418067418205611498077841778767371693","222464963703698864450070164786957662533","277613270158515660417394834324558088004","298297011743436447918521591293669040485","299155416303046266711133727532113692660","186424814584774063478276524116140177375","45752608025481224340107942016789441072","93000023743101023229862131170490522338","38570803176432262618359061142578275661","94522799086334762639081528330529255660","307936339664710835937802163633521976902","118584513267913067243845610777517952363","194342335648579284050858032698869531057","210761249201661347266620051776994262929","329890183525693449784972954379290569993","202986097565040382472230830587080976979","130518192233807990485391017815712457388","288166818161625892471096424018835708548","107759070190209615422064364143185798779","262261018537909975947546300594715721120","212383889343305040692574082732145503362","171049108668816492619891712399767473456","283925207092745967808513458094194103942","9709272068091442271681772496526145471","222291370283676173291427023690448036228","603227435843967940268441381709474712","296031056229945414381566736199308862765","324583199939871533279921788225842892424","83527180088792946704806935996982944208","42111584038795493572575088484780882575","311545704202930218988478540504016199328","203714416275740645619232999849935662443","309377348548338116757310081728410696716","147600919261128652218278742566546891618","64962871551131024267964578326832978054","19808267842711151726302239479801969863","264246231932830001863369978975005632449","56007138453376758174567049286872254615","304918306869514227681659203920617271722","157511585974806121929596696327603531734","225963365727929049170247166523891368302","31223349230846504718269170610645599333","20545382861838757385115416095357676567","157511585974806121929596696327603531734","20925343064881724536713944277033864594","253812636979650178556101094422994690309","146319954926714525920089155920275348020","157511585974806121929596696327603531734","272451304386380028093288993059001539228","206458967508523634244390726598034393719","189447643550579791565676602173667384365","279815620291436409416133541528881618348","119409256234359561830267485772297008697","195465423348008908751701774148832353283","11903809925379751631846386181161989568","282204960468577956824575451693477260020","100088191988214037820190656539669842833","18862464463262265301625000859937388222","77529187233616565803765155866013349717","259371801098978676711110957111650238236","157761429621688468431920168185178362596","337954129078966251957979915136922891662","234444572418187581819276875180426154677","262735738307296916571061300811668345049","124222230759501603359220188641670014040","240200179238310946918769172693104268250","38569631271377139807444260400344256536","90546642011445985476964563144168599025"]},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"file":"util/data/msgencode.c"}},{"signature_type":"Function","id":"CVE-2024-8508-b27a244a","digest":{"function_hash":"7504209329107809935345772049067085262","length":1084},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"function":"compress_owner","file":"util/data/msgencode.c"}},{"signature_type":"Function","id":"CVE-2024-8508-dc37977f","digest":{"function_hash":"154427762653888097131478636532732144050","length":1206},"source":"https://github.com/nlnetlabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259","deprecated":false,"signature_version":"v1","target":{"function":"insert_section","file":"util/data/msgencode.c"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}