CVE-2026-42960
Undergoing Analysis Undergoing Analysis - In Progress
DNS Cache Poisoning in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-42960
EUVD
EUVD-2026-31083
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnet_labs unbound to 1.25.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-349 The product, when processing trusted data, accepts any untrusted data that is also included with the trusted data, treating the untrusted data as if it were trusted.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how CVE-2026-42960 affects compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to poison the DNS cache of your Unbound DNS resolver.

Cache poisoning can cause your DNS resolver to return incorrect DNS information, potentially redirecting users to malicious websites, intercepting or manipulating network traffic, or causing denial of service by disrupting DNS resolution.

Such impacts can compromise security, privacy, and the integrity of your network communications.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability CVE-2026-42960 in Unbound DNS software, the immediate step is to upgrade Unbound to version 1.25.1 or later, where the issue is fixed.

Alternatively, users running version 1.25.0 can apply a manual patch available from the Unbound website and then recompile the software to address the vulnerability.


Can you explain this vulnerability to me?

CVE-2026-42960 is a vulnerability in the Unbound DNS software up to version 1.25.0 that allows an attacker to poison the DNS cache by exploiting promiscuous resource record sets (RRSets) in DNS replies.

An attacker can send spoofed or fragmented DNS reply packets containing address records such as MX records alongside authority NS records. If the authority RRSet is trusted by Unbound, it may cache these malicious address records, leading to cache poisoning.

This means Unbound can be tricked into storing and serving incorrect DNS information, which can redirect users to malicious sites or disrupt DNS resolution.

The vulnerability was fixed in Unbound version 1.25.1 by ignoring address records in the additional section unless they are explicitly relevant to authority NS records.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart