The CVE number for this vulnerability is CVE-2026-42959.


== Summary
A denial of service vulnerability was found in Unbound's DNSSEC validator that
can lead to a crash given malicious upstream replies.

Unbound 1.25.1 includes a fix to use the proper counters to calculate the write
offsets.


== Affected products
Unbound up to and including version 1.25.0.


== Description
When Unbound constructs chase-reply messages for validation, the code uses the
wrong counter to calculate write offsets for ADDITIONAL section rrsets.
DNAME duplication could increase the ANSWER section count and authority
filtering could decrease the AUTHORITY section count and create an
uninitialized array slot.
Combining these two, the validator later dereferences this uninitialized
pointer, causing an immediate process crash.

An adversary controlling a DNSSEC-signed domain can trigger this bug with a
single query by configuring a DNAME chain with unsigned CNAMEs and a response
containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records.

Unbound 1.25.1 includes a fix to use the proper counters to calculate the write
offsets.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-42959.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Qifan Zhang from Palo Alto Networks for discovering and
responsibly disclosing the vulnerability.