CVE-2026-42923: CWE-407: Inefficient Algorithmic Complexity in NLnet Labs Unbound
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
AI Analysis
Technical Summary
CVE-2026-42923 is an inefficient algorithmic complexity vulnerability (CWE-407) in NLnet Labs Unbound's DNSSEC validator up to version 1.25.0. The vulnerability arises because the code path that consults the negative cache for DS records does not enforce the limit on NSEC3 hash calculations introduced in version 1.19.1. An attacker controlling a DNSSEC signed zone can exploit this by signing NSEC3 records with high iteration counts and querying a vulnerable Unbound instance, causing it to perform excessive hash calculations. This leads to a denial of service condition by holding a global lock on the negative cache, blocking other threads. The issue is fixed in Unbound 1.25.1 by bounding the vulnerable code path with the existing limit on NSEC3 hash calculations.
Potential Impact
The vulnerability can be exploited to cause a denial of service on Unbound DNS resolvers by forcing them to perform excessive NSEC3 hash calculations and blocking other threads via a global lock on the negative cache. This can degrade service availability during an attack. There are no known exploits in the wild as of the published date. The CVSS 4.0 base score is 6.9, indicating a medium severity impact.
Mitigation Recommendations
Unbound version 1.25.1 contains a patch that fixes this vulnerability by bounding the vulnerable code path with the existing limit on NSEC3 hash calculations. Users should upgrade to version 1.25.1 or later to remediate this issue. Since no official patch links or advisories are provided in the input, confirm patch availability and upgrade instructions from NLnet Labs official sources before applying. No other mitigations are specified.
CVE-2026-42923: CWE-407: Inefficient Algorithmic Complexity in NLnet Labs Unbound
Description
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the DNSSEC validator where the code path to consult the negative cache for DS records does not take into account the limit on NSEC3 hash calculations introduced in 1.19.1. This leads to degradation of service during the attack. An adversary that controls a DNSSEC signed zone can exploit this by signing NSEC3 records with acceptably high iterations for child delegations and querying a vulnerable Unbound. Unbound will keep performing the allowed hash calculations on the NSEC3 records and will not limit the work by the mitigation introduced in 1.19.1. As a side effect, a global lock for the negative cache will be held for the duration of the hashing, blocking other threads that need to consult the negative cache. Coordinated attacks could raise the vulnerability to denial of service. Unbound 1.25.1 contains a patch with a fix to bound the vulnerable code path with the existing limit for NSEC3 hash calculations.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42923 is an inefficient algorithmic complexity vulnerability (CWE-407) in NLnet Labs Unbound's DNSSEC validator up to version 1.25.0. The vulnerability arises because the code path that consults the negative cache for DS records does not enforce the limit on NSEC3 hash calculations introduced in version 1.19.1. An attacker controlling a DNSSEC signed zone can exploit this by signing NSEC3 records with high iteration counts and querying a vulnerable Unbound instance, causing it to perform excessive hash calculations. This leads to a denial of service condition by holding a global lock on the negative cache, blocking other threads. The issue is fixed in Unbound 1.25.1 by bounding the vulnerable code path with the existing limit on NSEC3 hash calculations.
Potential Impact
The vulnerability can be exploited to cause a denial of service on Unbound DNS resolvers by forcing them to perform excessive NSEC3 hash calculations and blocking other threads via a global lock on the negative cache. This can degrade service availability during an attack. There are no known exploits in the wild as of the published date. The CVSS 4.0 base score is 6.9, indicating a medium severity impact.
Mitigation Recommendations
Unbound version 1.25.1 contains a patch that fixes this vulnerability by bounding the vulnerable code path with the existing limit on NSEC3 hash calculations. Users should upgrade to version 1.25.1 or later to remediate this issue. Since no official patch links or advisories are provided in the input, confirm patch availability and upgrade instructions from NLnet Labs official sources before applying. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:07:51.800Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d86fdba1db4736270ee66
Added to database: 5/20/2026, 10:03:41 AM
Last enriched: 5/20/2026, 10:19:45 AM
Last updated: 5/20/2026, 1:37:58 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.