CVE-2026-42959
Description
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unbound up to 1.25.0 has a DNSSEC validator crash triggered by a crafted DNS reply due to incorrect offset calculation.
Vulnerability
A denial of service vulnerability exists in Unbound's DNSSEC validator (versions up to and including 1.25.0). When constructing chase-reply messages during validation, the code uses an incorrect counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication can increase the ANSWER section count, and authority filtering can decrease the AUTHORITY section count, creating an uninitialized array slot. The validator later dereferences this uninitialized pointer, causing an immediate process crash [1].
Exploitation
An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query. The attacker configures a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. No prior authentication or special network position is required beyond the ability to respond to DNS queries from an affected Unbound resolver [1].
Impact
Successful exploitation results in a denial of service via process crash of the Unbound resolver. The crash is immediate and can be triggered remotely without authentication, impacting availability of DNS resolution for all clients relying on the vulnerable server [1].
Mitigation
Unbound 1.25.1, released on 2026-05-20, contains a fix that uses the proper counters to calculate write offsets. Users should upgrade to 1.25.1 or apply the manual patch available from NLnet Labs [1]. For Unbound 1.25.0, the patch can be downloaded and applied with patch -p1 < patch_CVE-2026-42959.diff followed by make install [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
194d5babaee22- Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
2 files changed · +4 −2
doc/Changelog+2 −0 modified@@ -4,6 +4,8 @@ - Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious + content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. 23 April 2026: Wouter - Merge #1441: Fix buffer overrun in
validator/val_utils.c+2 −2 modified@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig, if(query_dname_compare(name, orig->rrsets[i]->rk.dname) == 0) chase->rrsets[chase->an_numrrsets - +orig->ns_numrrsets+chase->ar_numrrsets++] + +chase->ns_numrrsets+chase->ar_numrrsets++] = orig->rrsets[i]; } else if(rrset_has_signer(orig->rrsets[i], name, len)) { - chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ + chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+ chase->ar_numrrsets++] = orig->rrsets[i]; } }
Vulnerability mechanics
Root cause
"The function val_fill_reply uses orig->ns_numrrsets (the original reply's authority count) instead of chase->ns_numrrsets (the filtered chase reply's authority count) when computing write offsets, which can leave an uninitialized pointer slot that is later dereferenced."
Attack vector
An adversary controlling a DNSSEC-signed domain sends a crafted response containing a DNAME chain with unsigned CNAMEs, unsigned AUTHORITY records, and signed ADDITIONAL glue records. DNAME duplication inflates the ANSWER section count while authority filtering reduces the AUTHORITY section count, causing the chase reply's array layout to mismatch the offsets computed using the original reply's counters [CWE-824]. When the validator later dereferences the uninitialized pointer slot created by this mismatch, the process crashes immediately. The attacker only needs to control a DNSSEC-signed domain and send a single query to trigger the bug.
Affected code
The vulnerable function is val_fill_reply in validator/val_utils.c. The bug is in two offset calculations: chase->rrsets[chase->an_numrrsets + orig->ns_numrrsets + chase->ar_numrrsets++] and chase->rrsets[chase->an_numrrsets + orig->ns_numrrsets + chase->ar_numrrsets++]. Both use orig->ns_numrrsets (the original reply's authority count) instead of chase->ns_numrrsets (the filtered chase reply's authority count).
What the fix does
The patch changes two lines in val_fill_reply (validator/val_utils.c) to replace orig->ns_numrrsets with chase->ns_numrrsets when computing write offsets into the chase reply's rrsets array [patch_id=792203]. The original code used the unfiltered authority count from the original reply, but because authority filtering can remove records, the chase reply's authority section (chase->ns_numrrsets) may be smaller. Using the wrong counter causes the code to write into the wrong array slot, leaving the intended slot uninitialized. The fix ensures the offset calculation always uses the chase reply's own counters, so every slot is properly populated before use.
Preconditions
- networkAttacker must control a DNSSEC-signed domain and be able to send crafted DNS responses to the victim Unbound resolver.
- inputThe crafted response must contain a DNAME chain with unsigned CNAMEs, unsigned AUTHORITY records, and signed ADDITIONAL glue records to trigger the counter mismatch.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txtnvdMitigationVendor Advisory
News mentions
0No linked articles in our index yet.