Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
Published: 2026-05-20
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the DNSSEC validation path of Unbound where the negative cache lookup for DS records ignores the NSEC3 hash calculation limits introduced in version 1.19.1. When an adversary controls a zone, they can create NSEC3 records with high iteration counts; queries to the vulnerable resolver will force these hash calculations without restraint, causing CPU or lock contention. This results in service degradation and, if repeated, can lead to a denial of service. The flaw is an example of uncontrolled resource consumption (CWE‑407).

Affected Systems

The affected product is NLnet Labs Unbound. All releases up to and including 1.25.0 are vulnerable; the fix is included starting with 1.25.1. Users running Unbound 1.25.0 or older are susceptible.

Risk and Exploitability

The CVSS base score is 6.9, indicating a moderate severity. No EPSS score is currently available, and the vulnerability is not listed in CISA’s KEV catalog. An attacker who controls a DNSSEC‑signed zone can issue malicious NSEC3 queries to a public or private Unbound server over the network. The exploit path only requires that the resolver follows the advertised NSEC3 chain and is reachable; no privileged access to the resolver is needed. Successful exploitation results in high NSEC3 hash workload and prolonged locking of the negative cache, blocking legitimate queries. Coordinated attacks can amplify the effect to full denial of service.

Generated by OpenCVE AI on May 20, 2026 at 11:23 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later, which applies the bound‑hashing fix.
  • If an immediate upgrade is not possible, configure the resolver to reject NSEC3 queries from zones that are not trusted or enforce firewall rules that limit queries to a small set of trusted resolvers, thereby reducing the attack surface.
  • Continuously monitor resolver performance for abnormal CPU usage or extended negative cache lock times and consider disabling or throttling negative caching temporarily while awaiting the official patch.

Generated by OpenCVE AI on May 20, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
Title Degradation of service with unbounded NSEC3 hash calculations
Weaknesses CWE-407
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:10:10.747Z

Reserved: 2026-05-07T10:07:51.800Z

Link: CVE-2026-42923

cve-icon Vulnrichment

Updated: 2026-05-20T12:10:07.408Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:27.630

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-42923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses