Skip to main content

NLnet Labs Unbound CVE-2026-42923

| EUVDEUVD-2026-31081 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-05-20 sep@nlnetlabs.nl GHSA-8f6w-8h24-fw66
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:34 vuln.today

DescriptionCVE.org

NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.

AnalysisAI

Unbound DNS resolver up to and including version 1.25.0 exposes a denial-of-service condition in its DNSSEC validation stack, specifically in the negative cache code path used to look up DS records. An adversary who controls a DNSSEC-signed zone can craft NSEC3 records with high-but-permissible iteration counts for child delegations, causing any vulnerable Unbound instance that queries those records to perform unbounded SHA-1 hash computations while holding a global negative cache lock - blocking all other threads that need cache access. No public exploit code exists and this is not listed in the CISA KEV catalog at time of analysis, but coordinated query floods against the vulnerable code path could escalate a single-instance slowdown into a full denial of service.

Technical ContextAI

Unbound is a validating, recursive DNS resolver developed by NLnet Labs that implements DNSSEC (DNS Security Extensions). NSEC3 (RFC 5155) is a denial-of-existence mechanism in DNSSEC that uses iterated SHA-1 hashing to produce hashed owner names, preventing zone enumeration. The iteration count embedded in NSEC3 records controls how many times the hash function is applied - higher values increase computational cost. Unbound 1.19.1 introduced a cap on NSEC3 hash iterations to mitigate exactly this class of CPU exhaustion. However, the separate code path that consults the negative cache for DS (Delegation Signer) records - used during DNSSEC chain-of-trust validation for delegated zones - was never updated to enforce this cap. CWE-407 (Inefficient Algorithmic Complexity) is the root cause: the number of hash operations is O(iterations) and is attacker-controlled via a zone they legitimately operate. A compounding factor is a global lock on the negative cache, held for the full duration of the hashing; under concurrent query load this becomes a serialization bottleneck across all resolver threads.

RemediationAI

The primary fix is to upgrade to Unbound 1.25.1, which applies the existing NSEC3 hash calculation limit to the previously unguarded negative cache DS code path. The vendor advisory is available at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923.txt. If immediate upgrading is not feasible, operators can reduce exposure by configuring Unbound's val-nsec3-keysize-iterations option to enforce a lower iteration ceiling globally, though this may cause validation failures for zones that legitimately use higher counts. An additional compensating control is to restrict the set of zones Unbound validates using forward-zone or local-zone directives to exclude untrusted delegations, at the cost of reduced DNSSEC coverage. Rate-limiting queries per source IP via RPZ or firewall rules can reduce the effectiveness of coordinated flooding attacks but will not eliminate the underlying vulnerability. No workaround fully mitigates the issue without the patch.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-42923 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy