DNSSEC Validator Vulnerability in Unbound by NLnet Labs
CVE-2026-42923

6.9MEDIUM

Key Information:

Vendor: Nlnet Labs
Status: Unbound
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-42923?

NLnet Labs Unbound versions up to and including 1.25.0 are vulnerable due to a flaw in the DNSSEC validator. When querying a vulnerable Unbound server, an attacker who controls a DNSSEC signed zone can exploit the flaw by signing NSEC3 records with high iteration counts. This oversight in the code path prevents the enforcement of limits on NSEC3 hash calculations that were introduced in version 1.19.1, allowing for resource exhaustion. As a result, the negative cache is held in a global lock throughout the hashing process, causing significant delays in servicing other requests and potentially leading to a denial of service. The issue has been addressed in version 1.25.1, which includes necessary restrictions to mitigate the vulnerability.

Affected Version(s)

Unbound 0 < 1.25.1

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42923...

vendor-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 7, 2026

Credit

Qifan Zhang (Palo Alto Networks)

CVE-2026-42923 Data

JSON

Nlnet Labs

What is CVE-2026-42923?

Affected Version(s)

References

CVSS V4

Timeline

Credit