CVE-2026-42960: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data in NLnet Labs Unbound
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
AI Analysis
Technical Summary
CVE-2026-42960 describes a vulnerability in NLnet Labs Unbound DNS resolver up to version 1.25.0 where promiscuous RRSets in the authority section of DNS replies can be used to poison the cache. Specifically, Unbound may accept and cache address records from the additional section that are not explicitly tied to authority NS records if the authority RRSet is trusted. An attacker capable of spoofing DNS replies or exploiting fragmentation attacks can inject such records, leading to cache poisoning. The issue is addressed in Unbound 1.25.1 by ignoring irrelevant address records in the additional section, thus preventing this poisoning vector. This fix complements the prior patch for CVE-2025-11411.
Potential Impact
Successful exploitation allows an attacker to poison the DNS cache of Unbound resolvers by injecting malicious resource records, potentially redirecting DNS queries to attacker-controlled addresses. This undermines DNS integrity and can facilitate further attacks relying on DNS spoofing. The CVSS score of 5.7 reflects a medium severity with partial exploitability requiring network access and no privileges. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Unbound version 1.25.1 contains an official fix that mitigates this vulnerability by disregarding address records in the additional section unless explicitly relevant to authority NS records. Users should upgrade to Unbound 1.25.1 or later to remediate this issue. Since no other remediation level or patch information is provided, and the vulnerability affects on-premises software, upgrading is the recommended action. Patch status is confirmed by the vendor advisory embedded in the description.
CVE-2026-42960: CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data in NLnet Labs Unbound
Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to authority NS records, mitigating the possible poison effect. This is a complement fix to CVE-2025-11411.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42960 describes a vulnerability in NLnet Labs Unbound DNS resolver up to version 1.25.0 where promiscuous RRSets in the authority section of DNS replies can be used to poison the cache. Specifically, Unbound may accept and cache address records from the additional section that are not explicitly tied to authority NS records if the authority RRSet is trusted. An attacker capable of spoofing DNS replies or exploiting fragmentation attacks can inject such records, leading to cache poisoning. The issue is addressed in Unbound 1.25.1 by ignoring irrelevant address records in the additional section, thus preventing this poisoning vector. This fix complements the prior patch for CVE-2025-11411.
Potential Impact
Successful exploitation allows an attacker to poison the DNS cache of Unbound resolvers by injecting malicious resource records, potentially redirecting DNS queries to attacker-controlled addresses. This undermines DNS integrity and can facilitate further attacks relying on DNS spoofing. The CVSS score of 5.7 reflects a medium severity with partial exploitability requiring network access and no privileges. No known exploits are reported in the wild at this time.
Mitigation Recommendations
Unbound version 1.25.1 contains an official fix that mitigates this vulnerability by disregarding address records in the additional section unless explicitly relevant to authority NS records. Users should upgrade to Unbound 1.25.1 or later to remediate this issue. Since no other remediation level or patch information is provided, and the vulnerability affects on-premises software, upgrading is the recommended action. Patch status is confirmed by the vendor advisory embedded in the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:13:43.999Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d8700ba1db4736270eed4
Added to database: 5/20/2026, 10:03:44 AM
Last enriched: 5/20/2026, 10:19:37 AM
Last updated: 5/20/2026, 8:47:22 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.