eastbaycyber

CVE-2026-42960: Unbound DNS Cache Poisoning Vulnerability

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-05-30
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-42960
CVSS score 10.0 (Critical)
Attack vector Not provided in the NVD data reviewed
Auth required Unknown from primary sources; defenders should assume none until confirmed otherwise
Patch status Fixed in Unbound 1.25.1; vendor patch available for 1.25.0

TL;DR - Unbound through 1.25.0 can cache attacker-influenced DNS data from crafted authority/additional sections. - Recursive resolver operators should upgrade to 1.25.1 or patch 1.25.0 immediately. - No confirmed in-the-wild exploitation was found in reviewed primary sources, but impact is high.

Vulnerability at a Glance

CVE-2026-42960 is a critical DNS cache poisoning vulnerability in NLnet Labs Unbound. According to the NVD description and the vendor advisory, Unbound up to and including version 1.25.0 can be tricked into caching records it should not accept when processing certain DNS replies that contain promiscuous RRSets in the authority section plus related address records in the additional section. The vendor states that if an attacker can attach those records to a reply, such as through spoofed packets or fragmentation attacks, the resolver may cache poisoned data.

Operationally, this matters because Unbound is a recursive resolver commonly used in enterprise, ISP, hosting, and privacy-focused DNS deployments. A poisoned recursive cache can affect every downstream client that trusts it. Even where end hosts are well managed, a compromised resolver can redirect traffic, degrade trust in DNS answers, and enable follow-on abuse such as phishing, service impersonation, or mail-routing manipulation if affected records influence MX-related lookups.

What Is This Vulnerability?

The vendor describes the bug as poisoning via promiscuous records for the authority section. In practical terms, Unbound could accept and cache DNS data that accompanies a response even though that accompanying data is not strictly relevant in the way Unbound should require. The advisory specifically notes that an attacker may inject RRSets other than NS, for example MX, and include associated address records in the additional section. If the authority RRSet has enough trust in context, Unbound may cache those additional records.

The important nuance is that this is not “generic DNS spoofing” in the abstract. It is a resolver trust and caching logic problem tied to how authority and additional section records are evaluated together. The fix in Unbound 1.25.1 changes this behavior by disregarding address records from the additional section if they are not explicitly relevant only to authority NS records, which tightens what the resolver will accept into cache. The vendor also says this is a complement fix to CVE-2025-11411, which suggests this issue is part of an ongoing hardening area around resolver acceptance rules.

Technical Notes

A simplified illustration of the risky pattern is a response where the authority section contains a record set that influences trust evaluation, while the additional section carries address data that Unbound should not treat as cacheable in that context.

;; AUTHORITY SECTION
example.com.    300    IN    MX    10 mail.example.com.

;; ADDITIONAL SECTION
mail.example.com. 300  IN    A     203.0.113.66
mail.example.com. 300  IN    AAAA  2001:db8::66

Per the vendor description, records like the above become dangerous if an attacker can cause them to be accepted in a spoofed or fragmented reply path and cached with sufficient trust.

AnalystImpact · assess the risk

Who Is Affected?

The affected product is NLnet Labs Unbound. The affected version range stated in the primary sources reviewed is “up to and including version 1.25.0.” That means any deployment running 1.25.0 or earlier should be treated as vulnerable unless the vendor patch has been manually applied and validated.

The fixed version is Unbound 1.25.1. The vendor also provides a manual patch option specifically for Unbound 1.25.0 using patch_CVE-2026-42960.diff followed by a rebuild and install. If you operate package-managed deployments, container images, appliances, or embedded systems that bundle Unbound, you should verify not just the package name but the actual resolver version and any downstream backport status. If your vendor has not published a backport statement, assume you are still exposed until proven otherwise.

CVSS Score Breakdown

The NVD record reviewed scores CVE-2026-42960 as 10.0 (Critical). The full vector string was not returned in the data available here, so it would be wrong to reconstruct or invent missing metric values. Defenders should therefore rely on the confirmed severity score and on the vendor’s explicit exploitation scenarios rather than guessing the exact vector components.

Even without the full vector, the impact is straightforward to understand. DNS cache poisoning in a recursive resolver can affect confidentiality, integrity, and availability at the trust layer of name resolution. A poisoned cache can redirect users to attacker-controlled infrastructure, alter service discovery, support credential theft, disrupt mail flow, or undermine security controls that depend on trustworthy DNS. Because recursive resolvers often serve many clients, the blast radius is much larger than a single host issue.

Exploitation Status

Based on the primary sources reviewed, there is no confirmed in-the-wild exploitation for CVE-2026-42960 at this time. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog in the lookup data provided. That is useful context, but it should not be read as a safety signal. KEV omission only means there is no CISA catalog entry at time of lookup, not that exploitation is impossible or unlikely in all environments.

There is also no vendor-published proof of concept in the materials reviewed here, and no primary-source confirmation of a public PoC was retrieved from the provided research. The vendor does, however, describe realistic exploitation conditions: an attacker may be able to poison the cache if they can attach malicious records to a reply through spoofed packets or fragmentation attacks. In the absence of confirmed exploitation data, defenders should assume that internet-exposed recursive resolvers, resolvers serving untrusted clients, and networks where spoofing or fragmentation abuse is feasible deserve urgent patching priority.

ResponderRunbook · act now

How to Detect It

Detection for this issue is difficult because a successful cache poisoning event can look like a valid cached answer after the fact. The first priority is therefore exposure detection: identify Unbound instances running 1.25.0 or earlier and inventory where they are used as recursive resolvers for production clients. Version discovery is more reliable than trying to infer compromise solely from logs.

The second priority is anomaly detection around DNS answers and cache behavior. Look for unusual authority/additional record combinations, especially where non-NS authority data is accompanied by address records in the additional section. Also investigate resolver answers that suddenly shift mail exchangers, service endpoints, or host addresses without corresponding legitimate zone changes. If you have passive DNS, compare Unbound-served answers to authoritative responses and to known-good upstream resolver behavior.

Technical Notes

Check the installed version:

unbound -V

On package-managed systems, verify the packaged version as well:

dpkg -l | grep unbound
rpm -qa | grep '^unbound'

Useful Unbound logging settings during investigation:

server:
  verbosity: 2
  log-queries: yes
  log-replies: yes

Concrete log pattern to hunt for in Unbound query/reply logs: responses where the resolver processes answers for a target domain and subsequent clients receive unexpected MX-related destinations or address records shortly afterward. Because Unbound log formats vary by build and settings, a practical grep pattern is to baseline suspicious mail-routing changes:

grep -Ei 'reply|query|mx|additional|authority' /var/log/unbound.log

If you export DNS telemetry to a SIEM, a detection query can flag replies where the authority section contains records other than NS and the additional section includes A/AAAA glue-like data. Example pseudo-query:

SELECT timestamp, src_ip, qname, authority_rrtype, additional_rrtype, additional_name
FROM dns_resolver_telemetry
WHERE authority_rrtype NOT IN ('NS')
  AND additional_rrtype IN ('A','AAAA')
ORDER BY timestamp DESC;

At the network layer, defenders with packet capture can look for fragmented DNS responses or suspicious UDP replies that include authority MX records plus additional A/AAAA records. Example Wireshark display filter:

dns && (ip.flags.mf == 1 || ip.frag_offset > 0)

Then manually inspect whether the fragmented response contains authority/additional combinations inconsistent with normal delegation behavior.

Mitigation and Patching

The vendor guidance is clear: upgrade to Unbound 1.25.1. This is the fixed release identified by NLnet Labs. If you are running 1.25.0, the vendor also provides a manual patch, patch_CVE-2026-42960.diff, as an interim remediation path where a full version upgrade is not immediately possible. Because this issue affects core resolver trust decisions, patching should be treated as urgent rather than deferred to a routine maintenance cycle.

If you cannot patch immediately, focus on reducing exploitability assumptions. The advisory mentions spoofed packet and fragmentation attack paths, so it is reasonable to harden networks against IP spoofing, review fragmentation handling exposure, and reduce resolver attack surface. Those measures are compensating controls only. They do not replace the fix, and they should not be treated as sufficient closure for vulnerable versions.

Technical Notes

Upgrade directly to the vendor-fixed release where available from your distribution or build process. Example source-based install path:

curl -O https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz
tar xzf unbound-1.25.1.tar.gz
cd unbound-1.25.1
./configure
make
sudo make install
unbound -V

Vendor-supported manual patch path for Unbound 1.25.0:

curl -O https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42960.diff
cd unbound-1.25.0
patch -p1 < ../patch_CVE-2026-42960.diff
make
sudo make install
unbound -V

After upgrade or patching, restart the resolver and consider flushing cache contents to remove potentially poisoned records already stored before remediation:

sudo unbound-control flush_zone example.com
sudo unbound-control flush_requestlist
sudo systemctl restart unbound

If you lack certainty about which zones may have been influenced, a broader cache flush may be appropriate based on your change window and operational tolerance.

References

Primary and supporting references reviewed for this article are below. These are the sources for the version ranges, fix version, and exploitation status statements above.

Resource URL
NLnet Labs advisory https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42960.txt
Unbound 1.25.1 release page https://www.nlnetlabs.nl/news/2026/May/20/unbound-1.25.1-released
Patched release tarball https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz
Manual patch https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42960.diff
GitHub advisory mirror https://github.com/advisories/GHSA-x7f7-rggg-4jvv

In summary, CVE-2026-42960 is a high-priority resolver issue with a straightforward defensive action: if you run Unbound 1.25.0 or earlier, move to 1.25.1 or apply the vendor patch immediately. There is no confirmed in-the-wild exploitation in the reviewed primary sources, and no vendor PoC was identified, but the absence of those signals should not slow response. Resolver cache poisoning is one of the few issues that can quietly affect an entire downstream population, which is exactly why this CVE deserves urgent attention.

For further reading on securing your smart TV, visit our FAQ on securing smart TVs. To understand more about security practices, check our glossary on reproducible builds.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-05-30

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.