VYPR
Vypr IntelligenceAI-generatedMay 31, 2026· 11 CVEs

NLnet Labs Unbound: 11 CVEs Disclosed in Single Advisory — Two Critical Including Cache Poisoning

NLnet Labs released Unbound 1.26.0 on May 20, 2026, patching 11 vulnerabilities disclosed together, including a critical cache-poisoning bug (CVSS 10.0) and a DNSSEC validator flaw enabling possible remote code execution.

Key findings

  • CVE-2026-42960 (CVSS 10.0) enables DNS cache poisoning via promiscuous authority-section records
  • CVE-2026-33278 (CVSS 9.8) is a DNSSEC validator flaw with possible remote code execution
  • Four High-severity bugs include heap overflow, DoS, ghost domains, and EDNS parsing attacks
  • All 11 CVEs are fixed in Unbound 1.26.0, released May 20, 2026
  • Affected versions span from 1.6.2 up to 1.25.0 depending on the CVE
  • Bugs touch DNSSEC validation, EDNS handling, RPZ, NSID/cookie encoding, and DNSCrypt

NLnet Labs patched 11 distinct vulnerabilities in its popular DNS resolver Unbound on May 20, 2026, with the release of version 1.26.0. The batch spans all severity levels — two are rated Critical, four High, and five Medium — and touches nearly every core subsystem: DNSSEC validation, EDNS option handling, RPZ zone transfers, NSID/cookie encoding, and the caching layer. The most severe bug, CVE-2026-42960, carries a perfect CVSS 10.0 score and enables DNS cache poisoning via promiscuous authority-section records.

Critical cache poisoning via promiscuous records

CVE-2026-42960 (CVSS 10.0) is the batch's headline vulnerability. Unbound up to version 1.25.0 is vulnerable to poisoning when it caches promiscuous RRSets that complement DNS replies in the authority section. An adversary who can inject such records into a reply — for example, by controlling an upstream resolver or man-in-the-middle — can trick Unbound into caching forged DNS data. This is a classic cache-poisoning vector with broad impact: any downstream client using the poisoned resolver could be redirected to attacker-controlled hosts.

Critical DNSSEC validator flaw with possible RCE

CVE-2026-33278 (CVSS 9.8) affects Unbound 1.19.1 through 1.25.0. The DNSSEC validator deep-copies a data structure during chase-reply construction and erroneously overwrites a destination pointer. NLnet Labs rates this as enabling denial of service and *possible remote code execution*. An adversary who controls a malicious upstream DNS server can trigger the flaw by sending crafted DNSSEC responses.

High-severity bugs: DoS, heap overflow, ghost domains

Four High-severity CVEs round out the batch:

  • CVE-2026-42959 (CVSS 7.5) — A denial-of-service vulnerability in the DNSSEC validator. When Unbound constructs chase-reply messages for validation, it uses the wrong counter to calculate write offsets for the ADDITIONAL section, leading to a crash on malicious upstream replies.
  • CVE-2026-42944 (CVSS 7.5) — A heap overflow when encoding multiple NSID, DNS Cookie, and/or EDNS Padding options in the reply packet. The relevant options (nsid, answer-cookie, pad-responses) need to be enabled; pad-responses is on by default.
  • CVE-2026-41292 (CVSS 7.5) — A degradation-of-service attack via parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage during parsing and internal data-structure creation.
  • CVE-2026-40622 (CVSS 7.5) — A "ghost domain names" family attack affecting Unbound 1.16.2 through 1.25.0. It extends the ghost-domain window by up to one cached TTL value. An adversary needs to control a ghost zone and be able to query it.

Medium-severity bugs: locking, compression, NSEC3, jostle, DNSCrypt

Five Medium-severity CVEs complete the disclosure:

  • CVE-2026-44608 (CVSS 5.9) — A locking inconsistency in multi-threaded configurations using RPZ XFR reload with rpz-nsip/rpz-nsdname triggers, leading to heap use-after-free and crash.
  • CVE-2026-44390 (CVSS 5.3) — Excessive CPU consumption when handling replies with very large RRsets that require name compression, where records don't share a suffix above the root.
  • CVE-2026-42923 (CVSS 5.3) — The DNSSEC validator's code path for consulting the negative cache for DS records does not respect the NSEC3 hash calculation limit introduced in 1.19.1, enabling degradation of service.
  • CVE-2026-42534 (CVSS 5.3) — A flaw in the jostle logic where retransmits of the same query renew the age of slow-running queries, preventing the jostle mechanism from replacing them and degrading resolution performance.
  • CVE-2026-32792 (CVSS 5.3) — A denial-of-service bug when Unbound is compiled with DNSCrypt support (--enable-dnscrypt). A bad DNSCrypt query can underflow the packet-reading procedure, potentially leading to heap overflow.

Patch and mitigation

All 11 CVEs are fixed in Unbound version 1.26.0, released on May 20, 2026. Users running any version from 1.14.0 through 1.25.0 (or, for some bugs, as far back as 1.6.2) should upgrade immediately. NLnet Labs' advisory covers the full scope of affected version ranges per CVE. No workarounds have been published for individual bugs; the vendor recommends updating to 1.26.0.

Why this batch matters

This is the largest single-day Unbound disclosure in recent memory, and the presence of a CVSS 10.0 cache-poisoning bug — the most critical class of vulnerability for a DNS resolver — makes it especially urgent for operators of recursive resolvers, DNS infrastructure teams, and anyone running Unbound in enterprise or ISP environments. The DNSSEC validator bugs (CVE-2026-33278, CVE-2026-42959, CVE-2026-42923) are also notable because DNSSEC validation is a core security feature; flaws in the validator undermine the trust model it is meant to enforce. Administrators should prioritize the 1.26.0 upgrade and review their EDNS option configurations and RPZ zone policies as additional hardening steps.

AI-written article. Grounded in 11 CVE records listed below.