Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
Published: 2026-05-20
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound DNS resolver up to version 1.25.0 accepts seemingly valid additional address records that accompany any authority RRSet, not just those for NS records. An attacker can forge a reply or use a fragmentation attack to inject such records, causing the resolver to cache them and potentially redirect clients to malicious servers. This flaw aligns with CWE‑349 and may compromise the confidentiality and integrity of DNS lookups.

Affected Systems

Vendor NLnet Labs; product Unbound DNS resolver; affected versions include all releases through 1.25.0. The vendor released version 1.25.1 with a fix that rejects irrelevant address records in the additional section for authority RRSets, mitigating the poison effect.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. The exploitation vector is remote, requiring the ability to spoof or fragment packets destined for the resolver. No EPSS data is available, and the vulnerability is not listed in the KEV catalog, suggesting limited documented exploitation. However, the attack path is straightforward for an adversary able to control network traffic to Unbound, making timely remediation advisable.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or newer to apply the vendor patch that excludes non‑NS address records from authority RRSets
  • Restart the Unbound service to load the updated configuration
  • Monitor DNS logs for unexpected or unauthorized cache entries, focusing on changes to MX or other records that are not normally returned by authoritative servers

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6304-1 unbound security update
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
Ubuntu USN Ubuntu USN USN-8282-2 Unbound vulnerabilities
History

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs unbound
CPEs cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Vendors & Products Nlnetlabs
Nlnetlabs unbound
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H'}

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
Title Possible cache poisoning via promiscuous records for the authority section
Weaknesses CWE-349
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/U:Amber'}

Subscriptions

Nlnetlabs Unbound
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T13:04:34.933Z

Reserved: 2026-05-07T10:13:43.999Z

Link: CVE-2026-42960

cve-icon Vulnrichment

Updated: 2026-05-20T13:04:27.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T10:16:28.037

Modified: 2026-05-20T22:51:43.680

Link: CVE-2026-42960

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-20T00:00:00Z

Links: CVE-2026-42960 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:15:06Z

Weaknesses