CVE-2026-42959 Overview
CVE-2026-42959 is a denial of service vulnerability in the NLnet Labs Unbound DNS resolver. The flaw resides in the DNSSEC validator, which uses an incorrect counter when calculating write offsets for ADDITIONAL section rrsets during chase-reply construction. An attacker controlling a DNSSEC-signed domain can craft upstream replies that trigger an uninitialized pointer dereference. A single query causes Unbound to crash immediately, disrupting DNS resolution for all downstream clients. The vulnerability affects Unbound versions up to and including 1.25.0 and is fixed in 1.25.1. The issue is tracked under [CWE-824] (Access of Uninitialized Pointer).
Critical Impact
A remote, unauthenticated attacker can crash Unbound resolver processes with a single crafted DNS query, breaking DNS resolution for dependent infrastructure.
Affected Products
- NLnet Labs Unbound versions up to and including 1.25.0
- All deployments using Unbound as a DNSSEC validating resolver
- Patched in NLnet Labs Unbound 1.25.1
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-42959 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-42959
Vulnerability Analysis
The vulnerability occurs while Unbound builds chase-reply messages used for DNSSEC validation. The code computes write offsets for the ADDITIONAL section rrsets using the wrong section counter. Two response-shaping behaviors combine to expose the flaw. DNAME duplication inflates the ANSWER section count, while authority filtering reduces the AUTHORITY section count. The mismatch produces an uninitialized slot in the rrset array. When the validator later dereferences the pointer in that slot, the Unbound process crashes immediately. The result is a clean denial of service against any resolver instance that processes the malicious upstream reply.
Root Cause
The root cause is incorrect counter usage during memory layout calculation in the validator's chase-reply assembly logic. The code path does not maintain a consistent count between the ANSWER, AUTHORITY, and ADDITIONAL sections after DNAME expansion and authority filtering. This leaves a pointer slot uninitialized and reachable by later dereference, mapping directly to [CWE-824] Access of Uninitialized Pointer.
Attack Vector
Exploitation requires the attacker to control a DNSSEC-signed domain that the target Unbound resolver queries. The adversary configures a DNAME chain pointing to unsigned CNAMEs. The malicious response contains unsigned records in the AUTHORITY section alongside signed glue records in the ADDITIONAL section. A single triggering query, which can be induced by causing any downstream client to resolve a name under the attacker's zone, is sufficient to crash the resolver. No authentication or user interaction is required, and the network attack vector makes the issue reachable from the public internet.
No verified public exploit code is available. Refer to the NLnet Labs Advisory CVE-2026-42959 for technical details.
Detection Methods for CVE-2026-42959
Indicators of Compromise
- Unexpected Unbound process crashes or restarts logged by the service manager, particularly correlated with outbound queries to unfamiliar DNSSEC-signed zones.
- DNS query logs showing resolution attempts for domains with DNAME chains leading to unsigned CNAME targets.
- Upstream replies that contain unsigned AUTHORITY records combined with signed ADDITIONAL glue records for the same response.
Detection Strategies
- Monitor systemd, supervisord, or container orchestrator logs for repeated Unbound segmentation faults or abnormal exit codes.
- Enable Unbound query logging and inspect responses for DNAME chains terminating in unsigned CNAMEs.
- Correlate resolver crash events with the most recent outbound recursive query to identify the triggering zone.
Monitoring Recommendations
- Alert on Unbound restart frequency exceeding a baseline threshold within a short time window.
- Track availability metrics for the resolver service and downstream DNS-dependent applications.
- Capture core dumps from Unbound crashes for post-incident forensic analysis of the triggering response.
How to Mitigate CVE-2026-42959
Immediate Actions Required
- Upgrade Unbound to version 1.25.1 or later on all resolver hosts.
- Inventory all systems running Unbound, including embedded appliances and container images that bundle the resolver.
- Restart the Unbound service after upgrade to ensure the patched binary is active.
Patch Information
NLnet Labs released Unbound 1.25.1 with a fix that uses the proper counters when calculating write offsets for ADDITIONAL section rrsets. The patch corrects the section count mismatch that produced the uninitialized array slot. Detailed advisory information is available at the NLnet Labs Advisory CVE-2026-42959.
Workarounds
- Disable DNSSEC validation on affected resolvers only as a last resort, since this removes a core security control.
- Configure resolver supervision to automatically restart Unbound on crash to limit downtime while patching is scheduled.
- Restrict recursive resolution to internal clients and trusted zones where feasible to reduce exposure to attacker-controlled domains.
# Verify installed Unbound version
unbound -V | head -n 1
# Example upgrade on Debian/Ubuntu after distribution package update
sudo apt update && sudo apt install --only-upgrade unbound
sudo systemctl restart unbound
# Confirm patched version is running
sudo systemctl status unbound
unbound-control status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
