Critical severity10.0NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-42960

Description

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NLnet Labs Unbound up to 1.25.0 is vulnerable to DNS cache poisoning via promiscuous authority section records, allowing an attacker to inject and cache malicious address records.

Vulnerability

NLnet Labs Unbound versions up to and including 1.25.0 are vulnerable to DNS cache poisoning due to improper handling of promiscuous RRSets in the authority section of DNS replies. The vulnerability, a complement to CVE-2025-11411, allows an attacker to inject RRSets other than NS (e.g., MX) that are accompanied by address records in the additional section. If the authority RRSet has sufficient trust (i.e., in-zone data for the delegation point), Unbound will accept and cache those address records [1].

Exploitation

An attacker must be able to spoof DNS reply packets or perform fragmentation attacks to inject malicious records. The attacker crafts a reply containing an authority section with a non-NS RRSet (e.g., MX) and includes corresponding address records in the additional section. Unbound, upon receiving such a reply, caches the address records if the authority RRSet is deemed trustworthy based on the delegation point [1].

Impact

Successful exploitation allows an attacker to poison Unbound's DNS cache, redirecting subsequent queries to attacker-controlled destinations. This can lead to man-in-the-middle attacks, credential theft, and other forms of traffic interception, compromising the confidentiality, integrity, and availability of DNS resolution for affected clients [1].

Mitigation

The vulnerability is fixed in Unbound version 1.25.1, released on 2026-05-20. A patch for version 1.25.0 is also available from NLnet Labs. The fix disregards address records from the additional section unless they are explicitly relevant only to authority NS records, preventing the cache poisoning vector. No workarounds are documented; upgrading or applying the patch is recommended [1].

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Nlnetlabs/Unboundinferred2 versions
<=1.25.0+ 1 more
- (no CPE)range: <=1.25.0
- (no CPE)range: <=1.25.0

Patches

8ae4b4545dcc

- Fix CVE-2026-42960, Possible cache poisoning attack while following

https://github.com/NLnetLabs/unboundW.C.A. WijngaardsMay 20, 2026Fixed in release-1.25.1via llm-release-walk

commit

2 files changed · +10 −1

doc/Changelog+3 −0 modified

@@ -19,6 +19,9 @@
 	- Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
 	  hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
 	  the report.
+	- Fix CVE-2026-42960, Possible cache poisoning attack while following
+	  delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
+	  and JianJun Chen, Tsinghua University, for the report.
 
 23 April 2026: Wouter
 	- Merge #1441: Fix buffer overrun in

iterator/iter_scrub.c+7 −1 modified

@@ -777,7 +777,13 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg,
 			rrset->rrset_all_next = NULL;
 			return 1;
 		}
-		mark_additional_rrset(pkt, msg, rrset);
+		/* Only mark glue as allowed for type NS in the authority
+		 * section. Other RR types do not get glue for them, it
+		 * is allowed from the answer section, but not authority
+		 * so that a message can not have address records cached
+		 * as a side effect to the query. */
+		if(rrset->type==LDNS_RR_TYPE_NS)
+			mark_additional_rrset(pkt, msg, rrset);
 		prev = rrset;
 		rrset = rrset->rrset_all_next;
 	}

Vulnerability mechanics

Root cause

"Unbound unconditionally marks address records from the additional section as allowed for caching when processing any RRset in the authority section, instead of restricting this behavior to only NS-type records."

Attack vector

An attacker spoofs a DNS reply (or uses fragmentation attacks) that includes a delegation in the authority section with a non-NS RRset (e.g., MX) accompanied by forged address records in the additional section. Because Unbound previously accepted additional-section address records for any authority-section RRset, the attacker's injected address records would be cached as glue. This allows cache poisoning when the authority RRset has sufficient trust (i.e., in-zone data for the delegation point). The attack requires the ability to inject a crafted DNS reply that the resolver accepts [CWE-349].

Affected code

The vulnerable code is in `iterator/iter_scrub.c` within the `scrub_normalize()` function. The loop that processes authority-section RRSets unconditionally called `mark_additional_rrset()` for every RRset type, allowing address records from the additional section to be cached as glue for non-NS delegation records.

What the fix does

The patch adds a type check in `scrub_normalize()` within `iterator/iter_scrub.c` so that `mark_additional_rrset()` is only called when the authority-section RRset is of type NS (`LDNS_RR_TYPE_NS`) [patch_id=792202]. Previously, address records in the additional section were marked as allowed for any RRset type in the authority section, enabling attackers to piggyback forged glue on non-NS delegation records such as MX. By restricting glue acceptance to NS records only, the fix eliminates the side-channel through which extraneous address records could be cached and poison the resolver's cache.

Preconditions

networkAttacker must be able to inject a spoofed DNS reply or perform a fragmentation attack that the resolver accepts.
inputThe spoofed reply must contain a non-NS RRset (e.g., MX) in the authority section with forged address records in the additional section.

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txtnvdMitigationVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.650
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000