CVE-2026-42534
Undergoing Analysis Undergoing Analysis - In Progress
Denial of Resolution in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-42534
EUVD
EUVD-2026-31082
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnet_labs unbound to 1.25.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-440 A feature, API, or function does not perform according to its specification.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-42534 is a vulnerability in the jostle logic of NLnet Labs Unbound versions up to and including 1.25.0. The jostle logic is intended to manage query resolution performance by replacing slow-running queries when the number of queries per thread reaches its limit.

The vulnerability occurs because retransmitted duplicate queries reset the age of slow-running queries, preventing the jostle logic from recognizing them as aged and eligible for replacement. This allows slow or maliciously delayed queries to persist longer than intended.

An attacker who can query a vulnerable Unbound instance and control a slow or malicious domain name server can exploit this flaw to degrade the resolution performance or even cause a denial of resolution service.

The issue is fixed in Unbound version 1.25.1 by attaching an initial, non-updatable start time to incoming queries, allowing the jostle logic to function correctly.


How can this vulnerability impact me? :

This vulnerability can degrade the DNS resolution performance of Unbound, potentially causing slow or failed domain name resolutions.

If exploited by an attacker controlling a slow or malicious domain name server, it can lead to denial of resolution service, meaning legitimate queries may not be resolved in a timely manner or at all.

Such degradation or denial of DNS resolution can impact network reliability and availability for users and services relying on Unbound for DNS.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the jostle logic in Unbound versions up to 1.25.0, which can be exploited by retransmitted queries that reset the age of slow-running queries. Detection would involve monitoring Unbound's query resolution performance, especially when the 'num-queries-per-thread' limit is reached, to identify degraded resolution performance or abnormal query retransmissions.

Specific commands to detect this vulnerability are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Unbound to version 1.25.1, which contains a patch that fixes the vulnerability by attaching an initial, non-updatable start time to incoming queries, allowing the jostle logic to function correctly.

Alternatively, if upgrading is not immediately possible, manually patching version 1.25.0 with the fix is recommended.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart