CVE-2026-42923
Denial of Service in Unbound DNSSEC Validator
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: NLnet Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nlnet_labs | unbound | to 1.25.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in NLnet Labs Unbound DNSSEC validator up to version 1.25.0. The issue is that the code path which checks the negative cache for DS records does not respect the limit on NSEC3 hash calculations introduced in version 1.19.1.
An attacker who controls a DNSSEC-signed zone can exploit this by signing NSEC3 records with a high number of iterations for child delegations and then querying a vulnerable Unbound instance. The system will perform excessive hash calculations without limiting the work, holding a global lock on the negative cache and blocking other threads.
This can lead to service degradation and, if coordinated, can escalate to a denial-of-service condition. The vulnerability is fixed in Unbound version 1.25.1 by applying the existing NSEC3 hash calculation limit to the vulnerable code path.
How can this vulnerability impact me? :
This vulnerability can cause degradation of service in systems running vulnerable versions of Unbound DNSSEC validator. During an attack, the system performs excessive hash calculations and holds a global lock on the negative cache, blocking other threads.
If an attacker coordinates queries exploiting this flaw, it can escalate to a denial-of-service (DoS) condition, potentially making DNS resolution unavailable or slow for users relying on the affected Unbound instance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Unbound to version 1.25.1, which contains a patch that applies the necessary limit on NSEC3 hash calculations to prevent service degradation.
If upgrading is not immediately possible, you can manually apply the patch available from the Unbound website to the source directory of version 1.25.0 and then reinstall the software.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Unbound versions up to and including 1.25.0. Detection involves verifying the Unbound version running on your system to see if it is vulnerable.
You can check the Unbound version by running the following command:
- unbound -h | head -n 1
If the version is 1.25.0 or earlier, your system is vulnerable. Additionally, monitoring for unusual CPU usage or service degradation related to DNSSEC validation could indicate exploitation attempts.
There are no specific detection commands provided in the resources for identifying exploitation attempts directly.
Mitigation is to upgrade to Unbound 1.25.1 or later, which contains the patch fixing this vulnerability.