EUVD-2026-31081
GHSA-8f6w-8h24-fw66
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Lifecycle Timeline
2DescriptionNVD
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
AnalysisAI
Unbound DNS resolver up to and including version 1.25.0 exposes a denial-of-service condition in its DNSSEC validation stack, specifically in the negative cache code path used to look up DS records. An adversary who controls a DNSSEC-signed zone can craft NSEC3 records with high-but-permissible iteration counts for child delegations, causing any vulnerable Unbound instance that queries those records to perform unbounded SHA-1 hash computations while holding a global negative cache lock - blocking all other threads that need cache access. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today