Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
Published: 2026-05-20
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound DNS resolver up to version 1.25.0 accepts seemingly valid additional address records that accompany any authority RRSet, not just those for NS records. An attacker can forge a reply or use a fragmentation attack to inject such records, causing the resolver to cache them and potentially redirect clients to malicious servers. This flaw aligns with CWE‑349 and may compromise the confidentiality and integrity of DNS lookups.

Affected Systems

Vendor NLnet Labs; product Unbound DNS resolver; affected versions include all releases through 1.25.0. The vendor released version 1.25.1 with a fix that rejects irrelevant address records in the additional section for authority RRSets, mitigating the poison effect.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. The exploitation vector is remote, requiring the ability to spoof or fragment packets destined for the resolver. No EPSS data is available, and the vulnerability is not listed in the KEV catalog, suggesting limited documented exploitation. However, the attack path is straightforward for an adversary able to control network traffic to Unbound, making timely remediation advisable.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or newer to apply the vendor patch that excludes non‑NS address records from authority RRSets
  • Restart the Unbound service to load the updated configuration
  • Monitor DNS logs for unexpected or unauthorized cache entries, focusing on changes to MX or other records that are not normally returned by authoritative servers

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
Title Possible cache poisoning via promiscuous records for the authority section
Weaknesses CWE-349
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T13:04:34.933Z

Reserved: 2026-05-07T10:13:43.999Z

Link: CVE-2026-42960

cve-icon Vulnrichment

Updated: 2026-05-20T13:04:27.808Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:28.037

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-42960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses