CVE-2026-42923 NLnet Labs CVE debrief

Who should care

Operators and administrators running affected Unbound recursive resolvers, especially environments that depend on DNSSEC validation and availability under load.

Technical summary

The vulnerability is in Unbound’s DNSSEC validation logic. A code path that consults the negative cache for DS records fails to enforce the existing cap on NSEC3 hash calculations. The result is repeated allowed hashing work and prolonged holding of a global negative-cache lock, which can block other threads consulting the negative cache. The issue is remotely reachable over the network and can be abused by an adversary controlling a DNSSEC-signed zone.

Defensive priority

High for availability-focused environments running affected Unbound versions; medium overall because the impact is service degradation/denial of service rather than data compromise.

Recommended defensive actions

• Upgrade Unbound to version 1.25.1 or later.
• Inventory all systems running Unbound and verify whether they fall within the affected version range (1.19.1 through 1.25.0).
• Prioritize remediation on resolvers that are exposed to untrusted query traffic or that are critical to application availability.
• Review vendor guidance in the linked advisory for any deployment-specific mitigation notes.
• After upgrading, monitor DNS resolver latency, thread saturation, and negative-cache-related behavior for residual performance issues.

Evidence notes

The CVE description states that Unbound up to and including 1.25.0 is affected, that the vulnerable path does not account for the NSEC3 hash-calculation limit introduced in 1.19.1, and that Unbound 1.25.1 contains the fix. NVD lists the vulnerable CPE range as versionStartIncluding 1.19.1 through versionEndExcluding 1.25.1 and classifies the weakness as CWE-407. The CVSS vector indicates network-reachable availability impact with no direct confidentiality or integrity impact.

Official resources