{"id":"CVE-2020-28935","details":"NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.","modified":"2026-04-02T05:50:46.876572Z","published":"2020-12-07T22:15:20.853Z","related":["MGASA-2021-0154","SUSE-SU-2022:0176-1","SUSE-SU-2022:0176-2","SUSE-SU-2022:0301-1","openSUSE-SU-2020:2222-1","openSUSE-SU-2022:0176-1","openSUSE-SU-2024:11005-1","openSUSE-SU-2024:11100-1","openSUSE-SU-2025:15069-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"},{"type":"ADVISORY","url":"https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"},{"type":"ADVISORY","url":"https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202101-38"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nlnetlabs/nsd","events":[{"introduced":"0"},{"fixed":"abd27bc66abc58889f1b0d295404c8b8aea74315"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.3.4"}]}},{"type":"GIT","repo":"https://github.com/nlnetlabs/unbound","events":[{"introduced":"0"},{"fixed":"d09e193403f36d2a10dccd7c6ffab45191af9a18"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.13.0"}]}}],"versions":["1.11.0rc1","ALPHA","ALPHA2","ANSWERS","CREDNS_0_2_10_REL","LABS","NAMED8_STATS","NSD_1_0_1_BETA5","NSD_1_0_1_BP","NSD_1_0_2_REL","NSD_1_0_2_merge_into_1_1_0","NSD_1_0_3_REL","NSD_1_0_3_last_merge","NSD_1_0_BP","NSD_1_1_0B2_REL","NSD_1_1_0_BP","NSD_1_1_0_REL","NSD_1_1_0_end_of_merge","NSD_1_1_0_last_merge","NSD_1_1_1","NSD_1_1_1_BP","NSD_1_2_0_REL","NSD_1_2_1_REL","NSD_1_2_2_REL","NSD_1_2_3_REL","NSD_1_2_4_REL","NSD_1_2_BP","NSD_1_2_end_of_merge","NSD_1_2_last_merge","NSD_1_3_0_ALPHA_1_REL","NSD_1_3_BP","NSD_1_4_0_ALPHA_1_REL","NSD_2_0_0_REL","NSD_2_0_0_WS_REL","NSD_2_0_1_REL","NSD_2_0_2_REL","NSD_2_0_BP","NSD_2_0_end_of_merge","NSD_2_0_last_merge","NSD_2_1_0_REL","NSD_2_1_1_REL","NSD_2_1_2_REL","NSD_2_1_3_REL","NSD_2_1_4_REL","NSD_2_1_5_REL","NSD_2_1_BP","NSD_2_1_end_of_merge","NSD_2_1_last_merge","NSD_2_2_0_REL","NSD_2_2_1_REL","NSD_2_2_BP","NSD_2_2_BP2","NSD_2_2_end_of_merge","NSD_2_2_last_merge","NSD_2_3_0_REL","NSD_2_3_1_REL","NSD_2_3_2_REL","NSD_2_3_3_REL","NSD_2_3_4_REL","NSD_2_3_5_REL","NSD_2_3_6_REL","NSD_2_3_7_REL","NSD_3_0_0_REL","NSD_3_0_1_REL","NSD_3_0_2_REL","NSD_3_0_3_REL","NSD_3_0_4_REL","NSD_3_0_5_REL","NSD_3_0_6_REL","NSD_3_0_7_REL","NSD_3_0_8_REL","NSD_3_1_0_REL","NSD_3_1_1_DEBUG","NSD_3_1_1_REL","NSD_3_2_0_REL","NSD_3_2_10_REL","NSD_3_2_11_REL","NSD_3_2_11_SEXY_BETA1","NSD_3_2_11_SEXY_BETA2","NSD_3_2_12_REL","NSD_3_2_13_REL","NSD_3_2_14_RC1","NSD_3_2_14_REL","NSD_3_2_15_RC1","NSD_3_2_15_REL","NSD_3_2_16_RC1","NSD_3_2_16_REL","NSD_3_2_17_RC1","NSD_3_2_17_RC2","NSD_3_2_17_REL","NSD_3_2_18_RC1","NSD_3_2_18_REL","NSD_3_2_19_RC1","NSD_3_2_19_REL","NSD_3_2_1_REL","NSD_3_2_20_RC1","NSD_3_2_20_REL","NSD_3_2_21_RC1","NSD_3_2_21_REL","NSD_3_2_22_RC1","NSD_3_2_22_RC2","NSD_3_2_22_REL","NSD_3_2_2_REL","NSD_3_2_3_REL","NSD_3_2_4_REL","NSD_3_2_5_REL","NSD_3_2_6_REL","NSD_3_2_7_REL","NSD_3_2_8_RC1","NSD_3_2_8_RC2","NSD_3_2_8_REL","NSD_3_2_9_REL","NSD_3_XML_SOCK_DB","NSD_3_signalsocket_solution","NSD_4_0_0_BETA1","NSD_4_0_0_BETA2","NSD_4_0_0_BETA3","NSD_4_0_0_BETA4","NSD_4_0_0_BETA5","NSD_4_0_0_RC1","NSD_4_0_0_RC2","NSD_4_0_0_RC3","NSD_4_0_0_REL","NSD_4_0_0_imp_1","NSD_4_0_0_imp_2","NSD_4_0_0_imp_3","NSD_4_0_0_imp_4","NSD_4_0_0_imp_5","NSD_4_0_0_imp_6","NSD_4_0_1_RC1","NSD_4_0_1_RC2","NSD_4_0_1_REL","NSD_4_0_2_RC1","NSD_4_0_2_REL","NSD_4_0_3_REL","NSD_4_1_0_RC1","NSD_4_1_0_REL","NSD_4_1_10_RC1","NSD_4_1_10_RC2","NSD_4_1_10_REL","NSD_4_1_11_RC1","NSD_4_1_11_RC2","NSD_4_1_11_REL","NSD_4_1_12_REL","NSD_4_1_13_RC1","NSD_4_1_13_REL","NSD_4_1_14_RC1","NSD_4_1_14_REL","NSD_4_1_15_RC1","NSD_4_1_15_REL","NSD_4_1_16_RC1","NSD_4_1_16_REL","NSD_4_1_17_RC1","NSD_4_1_17_REL","NSD_4_1_18_RC1","NSD_4_1_18_RC2","NSD_4_1_18_REL","NSD_4_1_19RC1","NSD_4_1_19_RC1","NSD_4_1_19_REL","NSD_4_1_1_RC1","NSD_4_1_1_REL","NSD_4_1_20_RC1","NSD_4_1_20_REL","NSD_4_1_21_RC1","NSD_4_1_21_REL","NSD_4_1_22_RC1","NSD_4_1_22_REL","NSD_4_1_23_REL","NSD_4_1_24_RC1","NSD_4_1_24_REL","NSD_4_1_25_RC1","NSD_4_1_25_REL","NSD_4_1_26_RC1","NSD_4_1_26_REL","NSD_4_1_27_RC1","NSD_4_1_27_REL","NSD_4_1_2_RC1","NSD_4_1_2_RC2","NSD_4_1_2_REL","NSD_4_1_3_RC1","NSD_4_1_3_REL","NSD_4_1_4_RC1","NSD_4_1_4_REL","NSD_4_1_5_REL","NSD_4_1_6_RC1","NSD_4_1_6_RC2","NSD_4_1_6_REL","NSD_4_1_7_RC1","NSD_4_1_7_REL","NSD_4_1_8_RC1","NSD_4_1_8_REL","NSD_4_1_9_REL","NSD_4_2_0_RC1","NSD_4_2_0_REL","NSD_4_2_1_RC1","NSD_4_2_1_REL","NSD_4_2_2_RC1","NSD_4_2_2_RC2","NSD_4_2_2_REL","NSD_4_2_3_RC1","NSD_4_2_3_REL","NSD_4_2_4_RC1","NSD_4_2_4_REL","NSD_4_3_0_RC1","NSD_4_3_0_REL","NSD_4_3_1_RC1","NSD_4_3_1_RC2","NSD_4_3_1_REL","NSD_4_3_2_RC1","NSD_4_3_2_REL","NSD_4_3_3_RC1","NSD_4_3_3_REL","NSD_S64","PostScrewUp","before_optimization","final-svn-state","help","new_zf_parser_start","release-0.0","release-0.1","release-0.10","release-0.11","release-0.2","release-0.3","release-0.4","release-0.5","release-0.6","release-0.7","release-0.7.1","release-0.7.2","release-0.8","release-0.9","release-1.0.0","release-1.0.1","release-1.0.2","release-1.1.0","release-1.1.1","release-1.10.0","release-1.10.0rc1","release-1.10.0rc2","release-1.10.1","release-1.11.0","release-1.11.0rc1","release-1.12.0","release-1.12.0rc1","release-1.13.0rc1","release-1.13.0rc2","release-1.13.0rc3","release-1.13.0rc4","release-1.13.1","release-1.13.1rc1","release-1.13.1rc2","release-1.13.2","release-1.13.2rc1","release-1.14.0","release-1.14.0rc1","release-1.15.0","release-1.15.0rc1","release-1.16.0","release-1.16.0rc1","release-1.16.1","release-1.16.1rc1","release-1.16.2","release-1.16.3","release-1.17.0","release-1.17.0rc1","release-1.17.1","release-1.17.1rc1","release-1.17.1rc2","release-1.18.0","release-1.18.0rc1","release-1.19.0","release-1.19.0rc1","release-1.19.1","release-1.19.2","release-1.19.3","release-1.19.3rc1","release-1.19.3rc2","release-1.2.0","release-1.2.1","release-1.20.0","release-1.20.0rc1","release-1.21.0","release-1.21.0rc1","release-1.21.1","release-1.22.0","release-1.22.0rc1","release-1.23.0","release-1.23.0rc1","release-1.23.0rc2","release-1.23.1","release-1.24.0","release-1.24.0rc1","release-1.24.1","release-1.24.2","release-1.3.0","release-1.3.1","release-1.3.2","release-1.3.3","release-1.3.3rc1","release-1.3.4","release-1.4.0","release-1.4.0rc1","release-1.4.1","release-1.4.10","release-1.4.11","release-1.4.11rc1","release-1.4.11rc2","release-1.4.11rc3","release-1.4.12","release-1.4.12rc1","release-1.4.13","release-1.4.13p1","release-1.4.13p2","release-1.4.13rc1","release-1.4.13rc2","release-1.4.14","release-1.4.14rc1","release-1.4.15","release-1.4.15rc1","release-1.4.16","release-1.4.17","release-1.4.17rc1","release-1.4.18","release-1.4.18rc1","release-1.4.18rc2","release-1.4.19","release-1.4.19rc1","release-1.4.2","release-1.4.20","release-1.4.20rc1","release-1.4.21","release-1.4.21rc1","release-1.4.22","release-1.4.22rc1","release-1.4.3","release-1.4.4","release-1.4.4rc1","release-1.4.5","release-1.4.5rc1","release-1.4.6","release-1.4.6rc1","release-1.4.7","release-1.4.7rc1","release-1.4.8","release-1.4.8rc1","release-1.4.9","release-1.4.9rc1","release-1.5.0","release-1.5.0rc1","release-1.5.1","release-1.5.10","release-1.5.10rc1","release-1.5.1rc1","release-1.5.1rc2","release-1.5.2","release-1.5.2rc1","release-1.5.3","release-1.5.3rc1","release-1.5.4","release-1.5.4rc1","release-1.5.5","release-1.5.5rc1","release-1.5.6","release-1.5.6rc1","release-1.5.7","release-1.5.7rc1","release-1.5.8","release-1.5.8rc1","release-1.5.9","release-1.5.9rc1","release-1.6.0","release-1.6.0rc1","release-1.6.1","release-1.6.1rc1","release-1.6.1rc2","release-1.6.1rc3","release-1.6.2","release-1.6.2rc1","release-1.6.3","release-1.6.4","release-1.6.4rc1","release-1.6.4rc2","release-1.6.5","release-1.6.5@4299","release-1.6.6","release-1.6.6rc1","release-1.6.6rc2","release-1.6.7","release-1.6.7rc1","release-1.6.8","release-1.7.0","release-1.7.0rc1","release-1.7.0rc2","release-1.7.0rc3","release-1.7.1","release-1.7.1rc1","release-1.7.2","release-1.7.2rc1","release-1.7.3","release-1.7.3rc1","release-1.7.3rc2","release-1.8.0","release-1.8.0rc1","release-1.8.1","release-1.8.1rc1","release-1.8.2","release-1.8.2rc1","release-1.8.3","release-1.9.0","release-1.9.0rc1","release-1.9.1","release-1.9.1rc1","release-1.9.2","release-1.9.2rc1","release-1.9.2rc2","release-1.9.2rc3","release-1.9.3","release-1.9.3rc1","release-1.9.3rc2","release-1.9.4","release-1.9.5","release-1.9.6","release-1.9.6rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-28935.json","vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["192475694659583013021296571372915521578","72502292287513406962723348630422573458","331047910258018515085774480826715087900","60580249850759924852175381199970496282"]},"id":"CVE-2020-28935-036299a6","source":"https://github.com/nlnetlabs/unbound/commit/d09e193403f36d2a10dccd7c6ffab45191af9a18","signature_type":"Line","deprecated":false,"target":{"file":"util/netevent.c"},"signature_version":"v1"},{"digest":{"length":2005,"function_hash":"315128232998359276463212529938774076113"},"id":"CVE-2020-28935-9b8aa9ec","source":"https://github.com/nlnetlabs/unbound/commit/d09e193403f36d2a10dccd7c6ffab45191af9a18","signature_type":"Function","deprecated":false,"target":{"file":"util/netevent.c","function":"comm_point_tcp_handle_callback"},"signature_version":"v1"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}