Skip to main content

NLnet Labs Unbound CVE-2026-42534

| EUVDEUVD-2026-31082 MEDIUM
Expected Behavior Violation (CWE-440)
2026-05-20 sep@nlnetlabs.nl GHSA-xfcv-gp55-3wpf
6.9
CVSS 4.0 · Vendor: nlnetlabs
Share

Severity by source

Vendor (nlnetlabs) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (nlnetlabs).

CVSS VectorVendor: nlnetlabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:34 vuln.today

DescriptionCVE.org

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.

AnalysisAI

Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker - who also controls a malicious or slow authoritative nameserver - to subvert the jostle logic designed to evict stalled queries, ultimately causing denial of resolution service. The jostle mechanism, which activates when the num-queries-per-thread limit is reached, is bypassed because retransmitted duplicate queries reset the aging timestamp to the latest duplicate rather than preserving the original query start time, preventing aged queries from being correctly identified and replaced. No public exploit has been identified at time of analysis; however, the vendor has confirmed the issue and released a patch in version 1.25.1.

Technical ContextAI

Unbound is a validating, recursive, caching DNS resolver maintained by NLnet Labs. Its jostle logic is an internal congestion-management mechanism that activates when the resolver's per-thread query slot capacity (num-queries-per-thread) is exhausted. When a new inbound query arrives under load, the resolver selects the slowest half of outstanding queries as eviction candidates, replacing them to serve new requests. The root cause - classified under CWE-440 (Expected Behavior Violation) - is that the aging timestamp attached to a query is mutable: duplicate retransmitted queries overwrite the original start time with the time of the latest duplicate, making the query appear younger than it actually is. This prevents the jostle logic from correctly classifying the query as stale, defeating its eviction purpose. The affected code path applies only to recursive resolution; responses served from cache or local data zones are entirely unaffected, which limits the availability impact vector to VA:L under CVSS 4.0.

RemediationAI

The vendor-released patch is Unbound version 1.25.1, which introduces a non-updatable initial start timestamp for each incoming query, ensuring the jostle logic evaluates true query age regardless of retransmit activity. Operators should upgrade to 1.25.1 immediately; the advisory is at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txt. If immediate patching is not possible, a partial compensating control is to reduce the num-queries-per-thread configuration value, which causes jostle eviction to trigger earlier and under lighter load, reducing the window during which timestamp manipulation is effective - the trade-off is reduced legitimate query concurrency and potential performance impact under normal load. Additionally, deploying rate-limiting on inbound query sources (e.g., via the Unbound ratelimit or ip-ratelimit directives) can limit an attacker's ability to flood the resolver with duplicate queries, though this does not fix the timestamp logic and may affect legitimate high-volume clients. Restricting resolver access to trusted client ranges via the access-control directive eliminates the first prerequisite for exploitation entirely, where network topology permits it.

CVE-2019-18934 HIGH POC
7.3 Nov 19

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiv

CVE-2026-33278 CRITICAL
9.1 May 20

Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attac

CVE-2026-42959 HIGH
8.7 May 20

Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an at

CVE-2026-42944 HIGH
8.7 May 20

Heap overflow denial-of-service in NLnet Labs Unbound recursive DNS resolver versions 1.14.0 through 1.25.0 allows remot

CVE-2022-3204 HIGH
7.5 Sep 26

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolv

CVE-2020-10772 HIGH
7.5 Nov 27

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020

CVE-2020-12663 HIGH
7.5 May 19

Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. Rated high severity

CVE-2020-12662 HIGH
7.5 May 19

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. Rated high severity

CVE-2019-16866 HIGH
7.5 Oct 03

Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIF

CVE-2024-1488 HIGH
7.3 Feb 15

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound grou

CVE-2026-44390 MEDIUM
6.9 May 20

Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resour

CVE-2026-41292 MEDIUM
6.6 May 20

Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny servi

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-42534 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy