Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.
Published: 2026-05-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Unbound arises from a flaw in its jostle logic, a mechanism that manages query scheduling when the server’s concurrent query limit is reached. Duplicate DNS queries from an attacker can reset the timestamp of a slow‑running query, causing the jostle algorithm to underestimate its age. This mis‑age skews the selection of candidate queries for replacement and results in the continued execution of slow queries while newer queries are starved. The net effect is a measurable degradation of DNS resolution performance. While cached or local data responses remain accurate, the overall throughput of the resolver can drop significantly.

Affected Systems

Affected systems are NLnet Labs Unbound versions up to and including 1.25.0. The vendor released a fix in 1.25.1 that assigns a non‑updatable start time to each incoming query, restoring correct aging behavior. Systems still running older releases are vulnerable to the performance‑degrading bypass.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the exploitability score is not published. The vulnerability is not listed in the CISA KEV catalog. An attacker must be able to send DNS queries to the vulnerable Unbound instance and control a DNS server that can reply slowly or maliciously to those queries. Under a coordinated attack, repeated slow responses could raise the resolver to a denial‑of‑resolution state. The lack of a public EPSS score makes the immediate risk difficult to quantify, but the presence of a patch and the moderate CVSS suggest that the vulnerability should be prioritized for remediation.

Generated by OpenCVE AI on May 20, 2026 at 11:23 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later to apply the patch that sets a fixed start time for queries.
  • If upgrading is not immediately possible, limit the set of upstream DNS servers and rate‑limit queries from external sources to reduce the window for slow‑response abuse.
  • Monitor query processing latency and the number of threads hitting the 'num-queries-per-thread' threshold to detect potential abuse; adjust the thread count if high latency is observed.

Generated by OpenCVE AI on May 20, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.
Title Jostle logic bypass degrades resolution performance
Weaknesses CWE-440
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:10:40.700Z

Reserved: 2026-05-07T10:07:51.811Z

Link: CVE-2026-42534

cve-icon Vulnrichment

Updated: 2026-05-20T12:10:36.742Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:27.477

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-42534

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses