From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 20 May 2026 08:22:52 +0000 (+0200)
Subject: - Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
X-Git-Tag: release-1.25.1^0
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=75b6dba593d4fff000434cd64807c6ebd50bd244;p=thirdparty%2Funbound.git

- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
  to Qifan Zhang, Palo Alto Networks, for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index a9fd4dc95..02148aaa1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -25,6 +25,8 @@
 	- Fix CVE-2026-44390, Unbounded name compression in certain cases
 	  causes degradation of service. Thanks to Qifan Zhang, Palo Alto
 	  Networks, for the report.
+	- Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
+	  to Qifan Zhang, Palo Alto Networks, for the report.
 
 23 April 2026: Wouter
 	- Merge #1441: Fix buffer overrun in
diff --git a/services/rpz.c b/services/rpz.c
index d83acbfb0..5121e46b5 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -2469,6 +2469,7 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 {
 	struct auth_zones* az;
 	struct auth_zone* a;
+	struct dns_msg* ret = NULL;
 	struct clientip_synthesized_rr* raddr = NULL;
 	struct rpz* r = NULL;
 	struct local_zone* z = NULL;
@@ -2512,13 +2513,11 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 		z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones,
 						     is->qchase.qclass, &match);
 		if(z != NULL) {
-			lock_rw_unlock(&a->lock);
 			break;
 		}
 
 		raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is);
 		if(raddr != NULL) {
-			lock_rw_unlock(&a->lock);
 			break;
 		}
 		lock_rw_unlock(&a->lock);
@@ -2533,9 +2532,12 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 		if(z) {
 			lock_rw_unlock(&z->lock);
 		}
-		return rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a);
+		ret = rpz_apply_nsip_trigger(ms, &is->qchase, r, raddr, a);
+	} else {
+		ret = rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a);
 	}
-	return rpz_apply_nsdname_trigger(ms, &is->qchase, r, z, &match, a);
+	lock_rw_unlock(&a->lock);
+	return ret;
 }
 
 struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,