CVE-2026-42960 Overview
CVE-2026-42960 is a DNS cache poisoning vulnerability in NLnet Labs Unbound through version 1.25.0. The flaw allows an adversary to inject promiscuous resource record sets (RRSets) into the authority section of DNS replies. When the authority RRSet holds sufficient trust as in-zone delegation data, Unbound accepts and caches the accompanying address records from the additional section. Attackers can abuse this behavior by attaching non-NS records such as MX along with address records in a spoofed or fragmented reply. This issue complements CVE-2025-11411 and has been addressed in Unbound 1.25.1.
Critical Impact
Successful exploitation poisons the Unbound resolver cache with attacker-controlled address records, redirecting downstream client traffic to adversary-chosen hosts.
Affected Products
- NLnet Labs Unbound versions up to and including 1.25.0
- Recursive resolver deployments using unbound for DNS resolution
- Downstream clients relying on affected Unbound instances for name resolution
Discovery Timeline
- 2026-05-20 - CVE-2026-42960 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-42960
Vulnerability Analysis
The vulnerability falls under [CWE-349] Acceptance of Extraneous Untrusted Data With Trusted Data. Unbound improperly trusts address records placed in the additional section of a DNS reply when an authority RRSet other than NS accompanies them. The resolver caches these promiscuous records as if they were authoritative, enabling cache poisoning. An adversary positioned on an adjacent network can attempt to deliver crafted replies through spoofed packets or fragmentation attacks. Because the authority RRSet only needs to qualify as in-zone delegation data, the attacker does not need to compromise the upstream authoritative server.
Root Cause
The root cause is insufficient validation of additional-section glue records against the type of authority record they accompany. Unbound accepted address records relevant to non-NS authority types such as MX, treating them as trustworthy glue. The fix in Unbound 1.25.1 disregards address records from the additional section unless they are explicitly bound to authority NS records.
Attack Vector
Exploitation requires the attacker to land a malicious response before the legitimate upstream reply. This is typically achieved by spoofing the source address and matching DNS transaction parameters, or by leveraging IP fragmentation to inject crafted fragments into a legitimate response. Once the poisoned MX and accompanying A or AAAA records enter the cache, any client querying the affected name receives the attacker-controlled mapping. The poisoned entries persist for the TTL set by the attacker. See the NLnet Labs CVE-2026-42960 Advisory for protocol-level details.
Detection Methods for CVE-2026-42960
Indicators of Compromise
- Unexpected A or AAAA records cached for MX or other non-NS targets that do not match authoritative data
- DNS replies containing additional-section glue records that are not strictly tied to authority NS records
- Spikes in fragmented UDP/53 traffic or duplicate response packets observed on resolver interfaces
Detection Strategies
- Compare cached records on Unbound (unbound-control dump_cache) against authoritative zone data for high-value domains
- Monitor for anomalous TTLs or addresses on mail-exchanger lookups originating from the resolver
- Inspect packet captures on UDP/53 for unsolicited replies, mismatched transaction IDs, or out-of-order fragments
Monitoring Recommendations
- Enable Unbound query logging and forward records to a centralized analytics platform for correlation
- Alert on resolver responses where additional-section records do not match the queried QNAME or zone
- Track the unbound version inventory and flag any instance at or below 1.25.0
How to Mitigate CVE-2026-42960
Immediate Actions Required
- Upgrade all Unbound deployments to version 1.25.1 or later, which removes promiscuous additional-section caching
- Audit resolver caches and flush any entries that may have been populated during the exposure window
- Restrict resolver access to trusted client networks and block inbound UDP/53 from untrusted sources
Patch Information
NLnet Labs released Unbound 1.25.1 with a fix that disregards address records from the additional section unless they are explicitly relevant only to authority NS records. The patch complements the earlier remediation for CVE-2025-11411. Operators should consult the NLnet Labs CVE-2026-42960 Advisory for build and packaging details.
Workarounds
- Enforce DNSSEC validation for zones where supported to detect tampered records before caching
- Enable 0x20 query name randomization and source port randomization to raise the cost of spoofing
- Limit EDNS UDP buffer size to reduce exposure to fragmentation-based injection
# Configuration example: harden unbound.conf against spoofing while patching
server:
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
edns-buffer-size: 1232
do-not-query-localhost: yes
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
