Skip to main content

Unbound CVE-2026-42960

| EUVDEUVD-2026-31083 MEDIUM
Acceptance of Extraneous Untrusted Data With Trusted Data (CWE-349)
2026-05-20 sep@nlnetlabs.nl GHSA-x7f7-rggg-4jvv
5.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
SUSE
5.9 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:35 vuln.today

DescriptionCVE.org

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.

AnalysisAI

DNS cache poisoning in NLnet Labs Unbound 1.25.0 and earlier allows an adjacent-network attacker to inject malicious resource records into the resolver's cache by exploiting insufficient validation of authority-section RRSets. By attaching forged non-NS RRSets (such as MX records) with accompanying address records in spoofed or fragmented DNS replies, an attacker can trick Unbound into caching poisoned entries when the authority RRSet carries sufficient trust as in-zone delegation data. Publicly available proof-of-concept exploit code exists (CVSS 4.0 E:P); this is a complement fix to CVE-2025-11411, meaning systems that patched the prior vulnerability but have not upgraded to 1.25.1 remain exposed.

Technical ContextAI

Unbound is a validating, recursive DNS resolver developed by NLnet Labs. The root cause is CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data): Unbound incorrectly trusts and caches additional-section address records that accompany authority-section RRSets, even when those address records are not strictly relevant to NS delegation glue. The DNS protocol permits resolvers to use glue records-address records co-located with NS referrals-to bootstrap lookups, and Unbound's insufficient scoping of this trust allowed non-NS RRSets (e.g., MX) placed in the authority section to elevate the trustworthiness of their accompanying address records in the additional section. If the authority RRSet meets Unbound's in-zone trust threshold for the delegation point, the associated address records are cached as trusted. This mechanism is exploitable via spoofed DNS reply packets or IP fragmentation attacks. No CPE strings were provided in the source data; affected versions are inferred from the NLnet Labs advisory.

RemediationAI

The primary fix is to upgrade to Unbound 1.25.1, which patches this vulnerability by disregarding address records from the additional section when they are not explicitly relevant to authority NS records, eliminating the promiscuous caching behavior. The vendor advisory is at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt. Where immediate upgrade is not possible, operators should restrict network access to the Unbound resolver to trusted clients only, reducing exposure to adjacent-network spoofing; note this does not prevent fragmentation attacks from authorized clients. Enabling and enforcing DNSSEC validation limits poisoning effectiveness for signed zones because forged records fail signature verification, but this does not fully mitigate the vulnerability and provides no protection for unsigned zones. Blocking IP fragmentation at the network perimeter reduces the fragmentation attack vector but may cause legitimate large DNS responses to fail, potentially disrupting DNS resolution for DNSSEC-heavy or large-record responses. Since this is a complement to CVE-2025-11411, systems that previously patched for that CVE but remain on versions below 1.25.1 are still exposed and must upgrade.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-42960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy