CVE-2026-42960
CVE-2026-42960 is a critical-severity vulnerability in Nlnetlabs Unbound with a CVSS 3.x base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-349.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- CVSS v4: 5.7
- EPSS exploit prediction: 0% (16th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-31083
- Weakness: CWE-349
- Affected product: Nlnetlabs Unbound
- Published:
- Last modified:
Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
Frequently asked questions
- What is CVE-2026-42960?
- NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
- How severe is CVE-2026-42960?
- CVE-2026-42960 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability high.
- Is CVE-2026-42960 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (16th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-42960?
- CVE-2026-42960 affects Nlnetlabs Unbound. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-42960?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-42960 have an EU (EUVD) identifier?
- Yes. CVE-2026-42960 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31083.
- When was CVE-2026-42960 published?
- CVE-2026-42960 was published on 2026-05-20 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
More vulnerabilities in Nlnetlabs Unbound
- CVE-2026-33278 — Critical (CVSS 9.8): NLnet Labs Unbound 1.19.1 up to and including version 1.25.0 has a vulnerability in the DNSSEC validator that enables…
- CVE-2019-25042 — Critical (CVSS 9.8): Unbound before 1.9.5 allows an out-of-bounds write via a compressed name in rdata_copy. NOTE: The vendor disputes that…
- CVE-2019-25039 — Critical (CVSS 9.8): Unbound before 1.9.5 allows an integer overflow in a size calculation in respip/respip.c. NOTE: The vendor disputes…
- CVE-2019-25038 — Critical (CVSS 9.8): Unbound before 1.9.5 allows an integer overflow in a size calculation in dnscrypt/dnscrypt.c. NOTE: The vendor disputes…
- CVE-2019-25035 — Critical (CVSS 9.8): Unbound before 1.9.5 allows an out-of-bounds write in sldns_bget_token_par. NOTE: The vendor disputes that this is a…
- CVE-2019-25034 — Critical (CVSS 9.8): Unbound before 1.9.5 allows an integer overflow in sldns_str2wire_dname_buf_origin, leading to an out-of-bounds write.…
All CVEs affecting Nlnetlabs Unbound →
Other CWE-349 vulnerabilities
- CVE-2026-41120 — Critical (CVSS 9.8): Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Acceptance of Extraneous Untrusted Data With…
- CVE-2026-45602 — Critical (CVSS 9.1): No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.
- CVE-2025-5994 — High (CVSS 8.7): A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that…
- CVE-2025-40778 — High (CVSS 8.6): Under certain circumstances, BIND is too lenient when accepting records from answers, allowing an attacker to inject…
- CVE-2025-40776 — High (CVSS 8.6): A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a…
- CVE-2026-32162 — High (CVSS 8.4): Acceptance of extraneous untrusted data with trusted data in Windows COM allows an unauthorized attacker to elevate…