The CVE number for this vulnerability is CVE-2026-42960.

This complements previous fixes for CVE-2025-11411.


== Summary
Promiscuous RRSets that complement DNS replies in the authority
section can be used to trick Unbound to cache such records.
If an adversary is able to attach such records in a reply (i.e.,
spoofed packet, fragmentation attack) he would be able to poison
Unbound's cache.

Unbound 1.25.1 includes a fix that disregards address records from the
additional section if they are not relevant to authority NS records, mitigating
the possible poison effect.


== Affected products
Unbound up to and including version 1.25.0.


== Description
A malicious actor can exploit the possible poisonous effect by injecting
RRSets other than NS that are also accompanied by address records in a reply,
for example MX.
This could be achieved by trying to spoof a reply packet or fragmentation
attacks.

Unbound would then accept the relative address records in the additional
section and cache them if the authority RRSet has enough trust at this point,
i.e., in-zone data for the delegation point.

Unbound 1.25.1 includes a fix that disregards address records from the
additional section if they are not explicitly relevant only to authority NS
records, mitigating the possible poison effect.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42960.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-42960.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank TaoFei Guo from Peking University, Yang Luo and JianJun
Chen, Tsinghua University for discovering and responsibly disclosing the
vulnerability.