CVE-2026-42923

Name of the Vulnerable Software and Affected Versions NLnet Labs Unbound versions prior to 1.25.1

Description A flaw in the DNSSEC validator occurs when the code path used to consult the negative cache for DS records ignores the limit on NSEC3 hash calculations. An attacker controlling a DNSSEC signed zone can exploit this by signing NSEC3 records with high iterations for child delegations and querying the system. This causes the software to perform excessive hash calculations, holding a global lock for the negative cache and blocking other threads. This results in service degradation and can lead to a denial of service through coordinated attacks.

Recommendations Update to version 1.25.1.