CVE-2026-42959
published 2026-05-20CVE-2026-42959: NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious…
PriorityP342high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.78%
51.3th percentile
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| ubuntu | unbound | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
vendor_redhat8.7HIGH
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NLnet Labs Unbound up to 1.25.0 uninitialized pointer (Nessus ID 315768)
vuldb·2026-05-23·CVSS 8.7
CVE-2026-42959 [HIGH] NLnet Labs Unbound up to 1.25.0 uninitialized pointer (Nessus ID 315768)
A vulnerability classified as problematic has been found in NLnet Labs Unbound up to 1.25.0. Impacted is an unknown function. The manipulation leads to uninitialized pointer.
This vulnerability is listed as CVE-2026-42959. The attack may be initiated remotely. There is no available exploit.
It is recommended to upgrade the affected component.
GHSA
GHSA-5jp8-75xr-qrmf: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2026-05-20
CVE-2026-42959 [HIGH] CWE-824 GHSA-5jp8-75xr-qrmf: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records
BSD
FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2026-06-09·CVSS 5.3
CVE-2026-32792 [MEDIUM] FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-26:33.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE)
2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2)
2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923,
CVE-2026-42944, CVE-2026-42959, CVE-2026-42960,
CVE-2026-44390, CVE-2026-44608
For general information regarding FreeBSD Security Advisories,
including descriptio
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 4.6
CVE-2026-42959 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected U
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-05-20·CVSS 4.6
CVE-2026-33278 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10
Red Hat
unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages
vendor_redhat·2026-05-20·CVSS 8.7
CVE-2026-42959 [HIGH] CWE-824 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages
unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages
A flaw was found in Unbound's DNSSEC validator when constructing chase-reply messages for validation. The code uses the wrong counter to calculate write offsets for ADDITIONAL section resource record sets. When a DNAME chain is combined with authority filtering, an uninitialized array slot is created that the validator later dereferences, causing an immediate process crash. Any application or infrastructure relying on Unbound for DNS resolution could be forced to exit unexpectedly, resulting in a denial-of-service condition.
Statement: The Red Hat Product Security team has assessed the severity of this vulnerability as Important, given that it can be remotely triggered without a
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42959 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages [fedora-all]
bugzilla·2026-05-26·CVSS 8.7
CVE-2026-42959 [HIGH] CVE-2026-42959 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages [fedora-all]
CVE-2026-42959 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42959 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages
bugzilla·2026-05-19·CVSS 8.7
CVE-2026-42959 [HIGH] CVE-2026-42959 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages
CVE-2026-42959 unbound: Unbound DNSSEC Validator Denial of Service via Incorrect Write Offset Counter in Chase-Reply Messages
Access of Uninitialized Pointer vulnerability in the DNSSEC validator of the Unbound DNS resolver. The flaw is caused by the use of incorrect counters when calculating write offsets for ADDITIONAL section rrsets in chase-reply messages. DNAME duplication can increase the ANSWER section count and authority filtering can decrease the AUTHORITY section count, creating an uninitialized array slot. The validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHO
https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txthttps://access.redhat.com/errata/RHSA-2026:19752https://access.redhat.com/errata/RHSA-2026:23231https://access.redhat.com/errata/RHSA-2026:24365https://access.redhat.com/errata/RHSA-2026:24369https://access.redhat.com/security/cve/CVE-2026-42959https://bugzilla.redhat.com/show_bug.cgi?id=2479806https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42959.json
2026-05-20
Published