Description
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound DNS resolver versions up to 1.25.0 contain a flaw in the DNSSEC validator that can cause an immediate process crash. The bug originates from using an incorrect counter when computing write offsets for ADDITIONAL section resource records during chase-reply construction. An attacker controlling a DNSSEC-signed domain can trigger the crash with a single query by crafting a response that includes a DNAME chain with unsigned CNAMEs, unsigned AUTHORITY records and signed ADDITIONAL glue records. The invalid offsets result in an uninitialized array slot that the validator later dereferences, producing a denial‑of‑service condition.

Affected Systems

The vulnerability affects NLnet Labs Unbound up to and including version 1.25.0. Any deployment of these versions as a recursive resolver or a validating server is exposed.

Risk and Exploitability

The CVSS score of 8.7 classifies the issue as high severity, and the absence of an EPSS score indicates that current exploitation likelihood is uncertain. Because the problem is activated through normal DNS traffic, it is likely a network‑based attack vector. The flaw does not provide information disclosure or privilege escalation, but it can reliably disrupt service by terminating the unbound process. The vulnerability is not yet listed in the CISA KEV catalog, suggesting no confirmed exploits have been observed in the wild.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later, which contains the patch that correctly calculates write offsets.
  • If an upgrade is not immediately possible, configure "val-clean-additional: no" in the server configuration to bypass the vulnerable code path in the affected versions.
  • Verify that DNSSEC validation continues to function correctly after applying the workaround, and consider disabling DNSSEC validation only as a last resort, as this reduces the resolver’s security posture.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Title Crash during DNSSEC validation of malicious content
Weaknesses CWE-824
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T13:12:56.258Z

Reserved: 2026-05-07T10:07:51.848Z

Link: CVE-2026-42959

cve-icon Vulnrichment

Updated: 2026-05-20T13:12:46.810Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:27.903

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-42959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses