What is CVE-2026-42960?

CVE-2026-42960 is a critical-severity vulnerability in Nlnet Labs Unbound, classified under CWE-349. CVSS score: 10.0/10. Published 2026-05-20.

How severe is CVE-2026-42960?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Vulnerability in Nlnet Labs Unbound

CVE-2026-42960

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cac…

EPSS: 0.000 (8.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H.

Affected products

Nlnet Labs Unbound — versions 0
Nlnetlabs Unbound

Weakness classification (CWE)

CWE-349

References

sep@nlnetlabs.nl (vendor-advisory, Mitigation, Vendor Advisory)

Frequently asked questions

What is CVE-2026-42960?: CVE-2026-42960 is a critical-severity vulnerability in Nlnet Labs Unbound, classified under CWE-349. CVSS score: 10.0/10. Published 2026-05-20.
How severe is CVE-2026-42960?: Critical severity. CVSS v3 base score is 10.0 out of 10.