The CVE number for this vulnerability is CVE-2026-42923.


== Summary
A vulnerability in Unbound's DNSSEC validator was found where the code path
to consult the negative cache for DS records does not take into account the
limit on NSEC3 hash calculations introduced in 1.19.1.
This leads to degradation of service during the attack.

Unbound 1.25.1 includes a fix to bound the vulnerable code path with
the existing limit for NSEC3 hash calculations.


== Affected products
Unbound up to and including version 1.25.0.


== Description
An adversary that controls a DNSSEC signed zone can exploit this by signing
NSEC3 records with acceptably high iterations for child delegations and
querying a vulnerable Unbound.
Unbound will keep performing the allowed hash calculations on the NSEC3 records
and will not limit the work by the mitigation introduced in 1.19.1.
As a side effect, a global lock for the negative cache will be held for the
duration of the hashing, blocking other threads that need to consult the
negative cache.

Coordinated attacks could raise the vulnerability to denial of service.

Unbound 1.25.1 includes a fix to bound the vulnerable code path with
the existing limit for NSEC3 hash calculations.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42923.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-42923.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.