CVE-2026-42960
published 2026-05-20CVE-2026-42960: NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that…
PriorityP355critical10CVSS 3.1
AVNACLPRNUINSCCNIHAH
EPSS
0.25%
16.1th percentile
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnetlabs | unbound | < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| ubuntu | unbound | — | — |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H
nvdv4.05.7MEDIUMCVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
vendor_redhat5.7MEDIUM
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NLnet Labs Unbound up to 1.25.0 acceptance of extraneous untrusted data with trusted data (Nessus ID 315763 / WID-SEC-2026-1599)
vuldb·2026-05-26·CVSS 5.7
CVE-2026-42960 [MEDIUM] NLnet Labs Unbound up to 1.25.0 acceptance of extraneous untrusted data with trusted data (Nessus ID 315763 / WID-SEC-2026-1599)
A vulnerability was found in NLnet Labs Unbound up to 1.25.0. It has been declared as problematic. This impacts an unknown function. Executing a manipulation can lead to acceptance of extraneous untrusted data with trusted data.
This vulnerability is handled as CVE-2026-42960. The attack can only be done within the local network. There is not any exploit available.
It is recommended to upgrade the affected component.
GHSA
GHSA-x7f7-rggg-4jvv: NLnet Labs Unbound up to and including version 1
ghsa_unreviewed·2026-05-20·CVSS 5.7
CVE-2026-42960 [MEDIUM] CWE-349 GHSA-x7f7-rggg-4jvv: NLnet Labs Unbound up to and including version 1
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this poi
BSD
FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2026-06-09·CVSS 5.3
CVE-2026-32792 [MEDIUM] FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-26:33.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE)
2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2)
2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923,
CVE-2026-42944, CVE-2026-42959, CVE-2026-42960,
CVE-2026-44390, CVE-2026-44608
For general information regarding FreeBSD Security Advisories,
including descriptio
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 4.6
CVE-2026-42959 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected U
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-05-20·CVSS 4.6
CVE-2026-33278 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10
Red Hat
unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
vendor_redhat·2026-05-20·CVSS 5.7
CVE-2026-42960 [MEDIUM] CWE-349 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
A flaw was found in Unbound's handling of DNS reply messages, complementing the earlier CVE-2025-11411 fix. Unbound accepts and caches address records from the additional section of DNS replies when they accompany authority section RRSets other than NS (such as MX records). A malicious actor who can inject crafted DNS responses—via packet spoofing or fragmentation attacks—can exploit this to poison Unbound's cache with attacker-controlled address records, potentially redirecting DNS resolution for affected domains.
Statement: The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate. Exploitation requires the attacker to successfully inject or spoof DNS response pa
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42960 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance [fedora-all]
bugzilla·2026-05-26·CVSS 5.7
CVE-2026-42960 [MEDIUM] CVE-2026-42960 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance [fedora-all]
CVE-2026-42960 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42960 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
bugzilla·2026-05-19·CVSS 5.7
CVE-2026-42960 [MEDIUM] CVE-2026-42960 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
CVE-2026-42960 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance
Acceptance of Extraneous Untrusted Data vulnerability in the DNS response scrubbing logic of the Unbound DNS resolver. The flaw allows promiscuous RRSets that complement DNS replies in the authority section to be cached when accompanied by address records in the additional section. Specifically, Unbound marks additional section address records as allowed for any authority RRSet type, not just NS records. A malicious actor can exploit this by injecting RRSets other than NS (e.g., MX) accompanied by address records via spoofed reply packets or fragmentation attacks. Unbound then accepts and caches the relative address records from the additional section if the authority RRSet has sufficie
2026-05-20
Published