Description
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound DNS resolver versions up to 1.25.0 contain a flaw in the DNSSEC validator that can cause an immediate process crash. The bug originates from using an incorrect counter when computing write offsets for ADDITIONAL section resource records during chase-reply construction. An attacker controlling a DNSSEC-signed domain can trigger the crash with a single query by crafting a response that includes a DNAME chain with unsigned CNAMEs, unsigned AUTHORITY records and signed ADDITIONAL glue records. The invalid offsets result in an uninitialized array slot that the validator later dereferences, producing a denial‑of‑service condition.

Affected Systems

The vulnerability affects NLnet Labs Unbound up to and including version 1.25.0. Any deployment of these versions as a recursive resolver or a validating server is exposed.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity, and the absence of an EPSS score indicates that current exploitation likelihood is uncertain. Because the problem is activated through normal DNS traffic, it is likely a network‑based attack vector. The flaw does not provide information disclosure or privilege escalation, but it can reliably disrupt service by terminating the unbound process. The vulnerability is not yet listed in the CISA KEV catalog, suggesting no confirmed exploits have been observed in the wild.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later, which contains the patch that correctly calculates write offsets.
  • If an upgrade is not immediately possible, configure "val-clean-additional: no" in the server configuration to bypass the vulnerable code path in the affected versions.
  • Verify that DNSSEC validation continues to function correctly after applying the workaround, and consider disabling DNSSEC validation only as a last resort, as this reduces the resolver’s security posture.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6304-1 unbound security update
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
Ubuntu USN Ubuntu USN USN-8282-2 Unbound vulnerabilities
History

Thu, 21 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 20 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs unbound
CPEs cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Vendors & Products Nlnetlabs
Nlnetlabs unbound
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Title Crash during DNSSEC validation of malicious content
Weaknesses CWE-824
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red'}

Subscriptions

Nlnetlabs Unbound
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T13:12:56.258Z

Reserved: 2026-05-07T10:07:51.848Z

Link: CVE-2026-42959

cve-icon Vulnrichment

Updated: 2026-05-20T13:12:46.810Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T10:16:27.903

Modified: 2026-05-20T22:51:00.717

Link: CVE-2026-42959

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-20T00:00:00Z

Links: CVE-2026-42959 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:15:06Z

Weaknesses