CVE-2026-42923 Overview
CVE-2026-42923 affects NLnet Labs Unbound recursive DNS resolver up to and including version 1.25.0. The vulnerability resides in the DNSSEC validator code path that consults the negative cache for Delegation Signer (DS) records. This path does not honor the NSEC3 hash calculation limit introduced in Unbound 1.19.1. An attacker controlling a DNSSEC-signed zone can force Unbound to perform unbounded NSEC3 hash work while holding a global negative cache lock. The condition degrades service and blocks other threads attempting to consult the negative cache. The issue is tracked under CWE-407: Inefficient Algorithmic Complexity.
Critical Impact
Coordinated queries against a malicious DNSSEC zone can escalate this resource consumption flaw into a denial-of-service condition affecting all Unbound resolver threads.
Affected Products
- NLnet Labs Unbound versions up to and including 1.25.0
- Recursive DNS resolvers performing DNSSEC validation
- Deployments relying on Unbound's negative cache for DS records
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-42923 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-42923
Vulnerability Analysis
Unbound performs DNSSEC validation by walking the chain of trust and consulting cached negative responses for DS records. When the resolver checks the negative cache for a DS record, it processes NSEC3 records associated with child delegations. NSEC3 records carry an iterations field that controls how many hash rounds the resolver must compute to verify name non-existence.
Unbound 1.19.1 introduced a global cap on NSEC3 hash calculations to prevent abuse. However, the DS negative cache consultation path was not wired into that limiter. The resolver continues hashing until each individual NSEC3 record's iterations complete. During this work, Unbound holds a global lock protecting the negative cache structure.
While the lock is held, other resolver threads attempting negative cache lookups block. Sustained queries against the attacker zone serialize resolver threads behind the lock and exhaust available CPU on hashing work.
Root Cause
The defect is a missing enforcement of an existing rate limit. The hardening added in 1.19.1 was applied to primary NSEC3 validation paths but not to the DS negative cache consultation code path. The flaw maps to CWE-407, inefficient algorithmic complexity, compounded by a coarse-grained global lock on the negative cache.
Attack Vector
An attacker provisions a DNSSEC-signed zone they control. The attacker signs NSEC3 records for child delegations using iteration counts that fall within Unbound's per-record acceptance threshold but accumulate significant work across queries. The attacker then directs a victim Unbound resolver to query names within the malicious zone. Each query forces Unbound to consult the DS negative cache, triggering full NSEC3 hash computation while holding the global lock. Coordinated query floods amplify the effect into a denial of service.
No authentication or user interaction is required, and the attack is performed remotely over the network.
The vulnerability is described in prose because no public proof-of-concept code is associated with this CVE. Refer to the NLnet Labs CVE-2026-42923 Advisory for the vendor's technical description.
Detection Methods for CVE-2026-42923
Indicators of Compromise
- Sustained high CPU utilization on Unbound worker threads correlated with queries to specific external zones.
- Increased query latency and timeouts for unrelated DNS resolutions handled by the same Unbound instance.
- Repeated queries from internal clients to names within an unfamiliar DNSSEC-signed zone using NSEC3 with high iteration values.
Detection Strategies
- Monitor Unbound's unbound-control stats output for elevated num.query.dnssec counters and growing mem.cache.message pressure during suspected attack windows.
- Capture DNS traffic and inspect NSEC3 records returned to the resolver for high iteration counts at child delegations.
- Correlate resolver thread contention metrics with queries to recently registered or low-reputation DNSSEC zones.
Monitoring Recommendations
- Alert on sustained Unbound CPU saturation that does not correspond to legitimate query volume increases.
- Track per-zone query distribution to identify a single external zone receiving disproportionate recursive lookups.
- Forward Unbound logs and host telemetry to a centralized analytics platform for correlation across resolver fleets.
How to Mitigate CVE-2026-42923
Immediate Actions Required
- Upgrade all Unbound instances to version 1.25.1 or later, which bounds the affected code path with the existing NSEC3 hash calculation limit.
- Inventory recursive resolvers across production, management, and DMZ networks to confirm complete patch coverage.
- Restrict recursive query access to trusted client networks to reduce exposure from arbitrary external queriers.
Patch Information
NLnet Labs released Unbound 1.25.1 containing the fix. The patch extends the existing NSEC3 hash calculation limit to cover the DS negative cache consultation path. Details are published in the NLnet Labs CVE-2026-42923 Advisory.
Workarounds
- Configure aggressive query rate limits per source to throttle coordinated attack traffic against the resolver.
- Where DNSSEC validation is not required, consider disabling it on non-critical resolvers until patching is complete. This reduces security posture and should be temporary.
- Deploy multiple resolver instances behind a load balancer so a single lock-contended instance does not stall the entire resolution path.
# Configuration example: verify and upgrade Unbound
unbound -V | head -n1
# Expected after patching: Version 1.25.1 or later
# Example rate limiting in unbound.conf
server:
ratelimit: 1000
ip-ratelimit: 200
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
