Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-20T00:00:00 unbound: Unbound DNS Cache Poisoning via Promiscuous Additional Section RRSet Acceptance 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CWE-349

A flaw was found in Unbound's handling of DNS reply messages, complementing the earlier CVE-2025-11411 fix. Unbound accepts and caches address records from the additional section of DNS replies when they accompany authority section RRSets other than NS (such as MX records). A malicious actor who can inject crafted DNS responses—via packet spoofing or fragmentation attacks—can exploit this to poison Unbound's cache with attacker-controlled address records, potentially redirecting DNS resolution for affected domains.

The Red Hat Product Security team has assessed the severity of this vulnerability as Moderate. Exploitation requires the attacker to successfully inject or spoof DNS response packets, which increases attack complexity. However, successful exploitation can result in DNS cache poisoning, allowing the attacker to redirect DNS resolution for affected domains. Red Hat would like to thank JianJun Chen (Tsinghua University), TaoFei Guo (Peking University), and Yang Luo (Tsinghua University) for reporting this issue. Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat Hardened Images 2026-05-23T00:00:00Z RHSA-2026:20357 unbound-main-1.25.1-1.hum1 Red Hat Enterprise Linux 10 Fix deferred unbound Red Hat Enterprise Linux 6 Fix deferred unbound Red Hat Enterprise Linux 7 Fix deferred unbound Red Hat Enterprise Linux 8 Fix deferred unbound Red Hat Enterprise Linux 9 Fix deferred unbound Red Hat OpenShift Container Platform 4 Fix deferred rhcos https://www.cve.org/CVERecord?id=CVE-2026-42960 https://nvd.nist.gov/vuln/detail/CVE-2026-42960