NLnet Labs Unbound: 11 CVEs Disclosed in Single Advisory — Two Critical Including Cache Poisoning

NLnet Labs patched 11 distinct vulnerabilities in its popular DNS resolver Unbound on May 20, 2026, with the release of version 1.26.0. The batch spans all severity levels — two are rated Critical, four High, and five Medium — and touches nearly every core subsystem: DNSSEC validation, EDNS option handling, RPZ zone transfers, NSID/cookie encoding, and the caching layer. The most severe bug, CVE-2026-42960, carries a perfect CVSS 10.0 score and enables DNS cache poisoning via promiscuous authority-section records.

CVE-2026-42960 (CVSS 10.0) is the batch's headline vulnerability. Unbound up to version 1.25.0 is vulnerable to poisoning when it caches promiscuous RRSets that complement DNS replies in the authority section. An adversary who can inject such records into a reply — for example, by controlling an upstream resolver or man-in-the-middle — can trick Unbound into caching forged DNS data. This is a classic cache-poisoning vector with broad impact: any downstream client using the poisoned resolver could be redirected to attacker-controlled hosts.

CVE-2026-33278 (CVSS 9.8) affects Unbound 1.19.1 through 1.25.0. The DNSSEC validator deep-copies a data structure during chase-reply construction and erroneously overwrites a destination pointer. NLnet Labs rates this as enabling denial of service and *possible remote code execution*. An adversary who controls a malicious upstream DNS server can trigger the flaw by sending crafted DNSSEC responses.

Four High-severity CVEs round out the batch. CVE-2026-42959 (CVSS 7.5) is a denial-of-service vulnerability in the DNSSEC validator. When Unbound constructs chase-reply messages for validation, it uses the wrong counter to calculate write offsets for the ADDITIONAL section, leading to a crash on malicious upstream replies. CVE-2026-42944 (CVSS 7.5) is a heap overflow when encoding multiple NSID, DNS Cookie, and/or EDNS Padding options in the reply packet; note that pad-responses is on by default. CVE-2026-41292 (CVSS 7.5) is a degradation-of-service attack via parsing long lists of incoming EDNS options. CVE-2026-40622 (CVSS 7.5) is a "ghost domain names" family attack affecting Unbound 1.16.2 through 1.25.0, extending the ghost-domain window by up to one cached TTL value.

Five Medium-severity CVEs complete the disclosure. These include a locking inconsistency in multi-threaded configurations using RPZ XFR reload (CVE-2026-44608, CVSS 5.9), excessive CPU consumption when handling replies with very large RRsets (CVE-2026-44390, CVSS 5.3), a DNSSEC validator's code path that does not respect the NSEC3 hash calculation limit (CVE-2026-42923, CVSS 5.3), a flaw in the jostle logic (CVE-2026-42534, CVSS 5.3), and a denial-of-service bug when Unbound is compiled with DNSCrypt support (CVE-2026-32792, CVSS 5.3).

All 11 CVEs are fixed in Unbound version 1.26.0, released on May 20, 2026. Users running any version from 1.14.0 through 1.25.0 (or, for some bugs, as far back as 1.6.2) should upgrade immediately. NLnet Labs' advisory covers the full scope of affected version ranges per CVE. No workarounds have been published for individual bugs; the vendor recommends updating to 1.26.0.

This is the largest single-day Unbound disclosure in recent memory, and the presence of a CVSS 10.0 cache-poisoning bug — the most critical class of vulnerability for a DNS resolver — makes it especially urgent for operators of recursive resolvers, DNS infrastructure teams, and anyone running Unbound in enterprise or ISP environments. The DNSSEC validator bugs (CVE-2026-33278, CVE-2026-42959, CVE-2026-42923) are also notable because DNSSEC validation is a core security feature; flaws in the validator undermine the trust model it is meant to enforce. Administrators should prioritize the 1.26.0 upgrade and review their EDNS option configurations and RPZ zone policies as additional hardening steps.