CVE-2026-42534
Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unbound up to 1.25.0 has a flaw in jostle logic where duplicate query retransmits reset aging, allowing attackers to degrade resolution performance.
Vulnerability
NLnet Labs Unbound versions up to and including 1.25.0 contain a vulnerability in the jostle logic. The jostle logic is designed to replace slow-running queries when the num-queries-per-thread limit is reached. However, duplicate queries (retransmits of the same query) renew the age timestamp of the original query, preventing the jostle logic from identifying them as aged candidates for replacement. This defeats the purpose of the jostle mechanism [1].
Exploitation
An adversary who can query a vulnerable Unbound instance and control a domain name server that responds slowly or maliciously can exploit this vulnerability. By sending duplicate queries, the attacker can keep slow queries alive, skewing the aging result to use the timestamp of the latest duplicate instead of the original. When the num-queries-per-thread limit is reached, the jostle logic fails to replace the intended slow queries, degrading resolution performance [1].
Impact
The primary impact is degradation of Unbound's resolution performance. Cache and local data response performance remain unaffected. Coordinated attacks could escalate this to a denial of resolution service, preventing legitimate queries from being processed efficiently [1].
Mitigation
The vulnerability is fixed in Unbound version 1.25.1. For users on 1.25.0, a patch is available from NLnet Labs. Apply the patch to the source directory with patch -p1 < patch_CVE-2026-42534.diff and then run make install. Upgrading to 1.25.1 is the recommended mitigation [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1a794c87578c9- Fix CVE-2026-42534, Jostle logic bypass degrades resolution
3 files changed · +19 −4
doc/Changelog+3 −0 modified@@ -13,6 +13,9 @@ - Fix CVE-2026-41292, Parsing a long list of incoming EDNS options degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto Networks, for the report. + - Fix CVE-2026-42534, Jostle logic bypass degrades resolution + performance. Thanks to Qifan Zhang, Palo Alto Networks, for the + report. 23 April 2026: Wouter - Merge #1441: Fix buffer overrun in
services/mesh.c+10 −4 modified@@ -297,12 +297,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf) if(mesh->num_reply_states < mesh->max_reply_states) return 1; /* try to kick out a jostle-list item */ - if(m && m->reply_list && m->list_select == mesh_jostle_list) { + if(m && m->list_select == mesh_jostle_list) { /* how old is it? */ struct timeval age; - timeval_subtract(&age, mesh->env->now_tv, - &m->reply_list->start_time); - if(timeval_smaller(&mesh->jostle_max, &age)) { + if(m->has_first_reply_time) + timeval_subtract(&age, mesh->env->now_tv, + &m->first_reply_time); + if(!m->has_first_reply_time || + timeval_smaller(&mesh->jostle_max, &age)) { /* its a goner */ log_nametypeclass(VERB_ALGO, "query jostled out to " "make space for a new one", @@ -1995,6 +1997,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns, r->qid = qid; r->qflags = qflags; r->start_time = *s->s.env->now_tv; + if(s->reply_list == NULL && !s->has_first_reply_time) { + s->first_reply_time = r->start_time; + s->has_first_reply_time = 1; + } r->next = s->reply_list; r->qname = regional_alloc_init(s->s.region, qinfo->qname, s->s.qinfo.qname_len);
services/mesh.h+6 −0 modified@@ -191,6 +191,12 @@ struct mesh_state { struct module_qstate s; /** the list of replies to clients for the results */ struct mesh_reply* reply_list; + /** if it has a first reply time */ + int has_first_reply_time; + /** wall-clock time the first client reply was attached; + * used by mesh_make_new_space() so duplicate retransmits + * cannot reset jostle aging. */ + struct timeval first_reply_time; /** the list of callbacks for the results */ struct mesh_cb* cb_list; /** set of superstates (that want this state's result)
Vulnerability mechanics
Root cause
"Duplicate retransmits of the same query update the reply timestamp, preventing the jostle logic from correctly aging slow queries and selecting them for replacement."
Attack vector
An adversary who can send queries to a vulnerable Unbound instance and who controls a slow-responding authoritative nameserver can exploit this vulnerability. When the 'num-queries-per-thread' limit is reached, the jostle logic selects half of the slowest queries for replacement. However, because each retransmit of the same query overwrites the reply timestamp with the latest duplicate's time, the jostle logic sees a younger age and does not target that query for eviction. This allows the attacker to keep many slow queries alive, consuming resolution slots and degrading performance for legitimate queries. Coordinated attacks can escalate this into a denial of resolution service. Cache and local data responses are unaffected [CWE-440].
Affected code
The vulnerability is in `services/mesh.c` in the `mesh_make_new_space()` function and `mesh_state_add_reply()` function [patch_id=792206]. The jostle logic in `mesh_make_new_space()` reads `m->reply_list->start_time` to compute query age, but this timestamp is overwritten on each duplicate retransmit. The `mesh_state` structure in `services/mesh.h` lacked a field to store the original, immutable start time.
What the fix does
The patch introduces a new `first_reply_time` field and a `has_first_reply_time` flag on the `mesh_state` structure [patch_id=792206]. In `mesh_state_add_reply()`, the first reply's start time is captured once and never updated. In `mesh_make_new_space()`, the jostle logic now reads `first_reply_time` instead of `reply_list->start_time`, and skips the age check entirely if no first reply time has been recorded. This ensures that duplicate retransmits cannot reset the aging clock, so the jostle logic correctly identifies truly old queries as candidates for replacement.
Preconditions
- networkAttacker must be able to send DNS queries to the vulnerable Unbound instance.
- networkAttacker must control a domain name server that replies slowly or maliciously to Unbound's queries.
- configUnbound's 'num-queries-per-thread' limit must be reached for the jostle logic to activate.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.nlnetlabs.nl/downloads/unbound/CVE-2026-42534.txtnvdMitigationVendor Advisory
News mentions
0No linked articles in our index yet.