CVE-2026-42923
published 2026-05-20CVE-2026-42923: NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.34%
25.7th percentile
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | >= 1.19.1 < 1.25.1 | 1.25.1 |
| ubuntu | unbound | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vendor_redhat6.9MEDIUM
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8f6w-8h24-fw66: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2026-05-20
CVE-2026-42923 [MEDIUM] CWE-407 GHSA-8f6w-8h24-fw66: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coo
BSD
FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2026-06-09·CVSS 5.3
CVE-2026-32792 [MEDIUM] FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-26:33.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE)
2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2)
2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923,
CVE-2026-42944, CVE-2026-42959, CVE-2026-42960,
CVE-2026-44390, CVE-2026-44608
For general information regarding FreeBSD Security Advisories,
including descriptio
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 4.6
CVE-2026-42959 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected U
Red Hat
unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS
vendor_redhat·2026-05-20·CVSS 6.9
CVE-2026-42923 [MEDIUM] CWE-400 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS
unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS
A flaw was found in Unbound's DNSSEC validator where the code path for consulting the negative cache for DS records does not honor the limit on NSEC3 hash calculations introduced in version 1.19.1. An adversary who controls a DNSSEC-signed zone can sign NSEC3 records with high iteration counts for child delegations, causing Unbound to perform excessive hash computations while holding a global lock on the negative cache. This temporarily blocks other resolver threads from accessing the negative cache, leading to degraded DNS resolution performance for the duration of the attack.
Statement: The Red Hat Product Security team has assessed the severity of this vulnerability as Mod
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-05-20·CVSS 4.6
CVE-2026-33278 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42923 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS [fedora-all]
bugzilla·2026-05-26·CVSS 6.9
CVE-2026-42923 [MEDIUM] CVE-2026-42923 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS [fedora-all]
CVE-2026-42923 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42923 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS
bugzilla·2026-05-19·CVSS 6.9
CVE-2026-42923 [MEDIUM] CVE-2026-42923 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS
CVE-2026-42923 unbound: Unbound DNSSEC Validator NSEC3 Hash Calculation Limit Bypass via Negative Cache Code Path Leading to DoS
Uncontrolled Resource Consumption vulnerability in the DNSSEC validator of the Unbound DNS resolver. The flaw is caused by the negative cache DS record code path not taking into account the limit on NSEC3 hash calculations introduced in Unbound 1.19.1. An adversary that controls a DNSSEC-signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records without applying the mitigation limit. As a side effect, a global lock for the negative cache is held for the duration of the hashing, blocking other threads
2026-05-20
Published