Denial of Service Vulnerability in NLnet Labs Unbound DNS Validator
CVE-2026-42959

8.7HIGH

Key Information:

Vendor: Nlnet Labs
Status: Unbound
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-42959?

NLnet Labs Unbound versions up to and including 1.25.0 are prone to a denial of service vulnerability in the DNSSEC validator. This issue can cause the Unbound service to crash when processing malicious upstream DNS replies. The vulnerability arises during the generation of chase-reply messages for validation, where an incorrect counter is used to determine write offsets for ADDITIONAL section resource record sets. Due to the interaction between DNAME duplication and changes in authority filtering, the validator may end up dereferencing an uninitialized pointer, leading to an immediate process crash. This vulnerability may be exploited by an adversary controlling a DNSSEC-signed domain by sending crafted DNS responses. Unbound version 1.25.1 introduces a fix to address this issue by utilizing the correct counters.

Affected Version(s)

Unbound 0 < 1.25.1

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959...

vendor-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 7, 2026

Credit

Qifan Zhang (Palo Alto Networks)

CVE-2026-42959 Data

JSON

Nlnet Labs

What is CVE-2026-42959?

Affected Version(s)

References

CVSS V4

Timeline

Credit