CVE-2026-42959 NLnet Labs CVE debrief

Who should care

Operators and administrators running Unbound, especially environments relying on DNSSEC validation or exposing resolver services to untrusted upstream DNS responses.

Technical summary

According to the vendor and NVD record, Unbound’s chase-reply message construction used the wrong counter to compute write offsets for ADDITIONAL section RRsets. In the affected path, DNAME duplication could raise the ANSWER count while AUTHORITY filtering could lower the AUTHORITY count, leaving an uninitialized array slot. The DNSSEC validator later dereferences that uninitialized pointer, causing a process crash. The vulnerability affects Unbound through 1.25.0 and is fixed in 1.25.1.

Defensive priority

High — remotely triggerable unauthenticated denial of service against a network-facing DNS validation path, with no user interaction required.

Recommended defensive actions

• Upgrade Unbound to version 1.25.1 or later.
• If immediate upgrade is not possible, review the NLnet Labs advisory for any vendor-provided mitigation guidance.
• Prioritize remediation on systems that validate DNSSEC or serve as critical infrastructure DNS components.
• After patching, verify resolver stability and monitor for unexpected crashes or repeated validation failures.

Evidence notes

This debrief is based on the official NVD record, the CVE record, and the NLnet Labs vendor advisory referenced by NVD. The supplied corpus states that the issue affects Unbound up to and including 1.25.0, that 1.25.1 contains the fix, and that the vulnerability can crash the DNSSEC validator after malicious upstream replies.

Official resources