PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42534 NLnet Labs CVE debrief

CVE-2026-42534 is a network-reachable availability issue in NLnet Labs Unbound up to and including 1.25.0. According to the published CVE description and NVD metadata, duplicate retransmits of the same query can refresh the apparent age of slow queries, which can interfere with Unbound’s jostle logic when the per-thread query limit is reached. The result is degraded resolution performance, and coordinated abuse may escalate that degradation into denial of resolution service. The vendor states that Unbound 1.25.1 fixes the issue by attaching an initial, non-updatable start time to incoming queries so the jostle logic can make correct age-based replacement decisions.

Vendor
NLnet Labs
Product
Unbound
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

Operators and maintainers of Unbound recursive resolvers, especially internet-facing deployments and environments that rely on stable DNS resolution latency under load. Teams that run versions up to 1.25.0 should treat this as an availability risk and prioritize remediation.

Technical summary

The issue affects Unbound’s jostle logic, which is intended to replace some slow-to-resolve queries when num-queries-per-thread reaches its limit. The vulnerability arises because duplicate queries can renew the age used for selection, rather than preserving the original start time of the resolution effort. That can prevent slow queries from being recognized as aged candidates for replacement, reducing the effectiveness of jostling and degrading resolver throughput. NVD lists the affected CPE range as all Unbound versions ending before 1.25.1, and the vendor reference states that 1.25.1 introduces a fix using an initial, non-updatable start time.

Defensive priority

Medium. This is an unauthenticated network-facing availability issue with potential for significant operational impact, but the supplied material indicates it affects resolution performance rather than confidentiality or integrity, and exploitation requires an attacker who can both query the resolver and influence slow or malicious upstream responses.

Recommended defensive actions

  • Upgrade NLnet Labs Unbound to version 1.25.1 or later.
  • Confirm whether any deployed resolvers are running a version at or below 1.25.0.
  • Review resolver performance, queueing, and latency metrics for signs of sustained slow-query buildup.
  • Validate whether exposed resolvers accept queries from untrusted networks and reduce exposure where practical.
  • Use the vendor advisory reference to confirm remediation details and deployment guidance.
  • After upgrading, verify that resolution performance returns to baseline under normal load patterns.

Evidence notes

This debrief is based only on the supplied CVE description, NVD metadata, and the linked NLnet Labs reference. The CVE description says the flaw affects Unbound up to and including 1.25.0, can be exploited by an adversary who can query the resolver and control a slow or malicious domain name server, and may lead to denial of resolution service. NVD metadata marks the vuln status as Analyzed, lists the vulnerable CPE range as ending before 1.25.1, and records CWE-440. The vendor reference states that Unbound 1.25.1 contains the fix. CVE publication and source publication time are 2026-05-20T10:16:27.477Z; modified time is 2026-05-20T22:50:00.157Z.

Official resources

CVE-2026-42534 was published on 2026-05-20T10:16:27.477Z and modified later the same day at 2026-05-20T22:50:00.157Z. The supplied record characterizes the issue as a vulnerability in Unbound’s jostle logic with availability impact, and the