You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
unbound dnssec
About this tag
The unbound dnssec tag covers discussions about DNSSEC validation flaws in the Unbound DNS resolver, particularly critical CVEs disclosed in 2026. Topics include CVE-2026-33278, a critical validation flaw allowing denial of service and possible remote code execution, and CVE-2026-42959, a denial-of-service crash triggered by malicious DNSSEC content. Both vulnerabilities affect Unbound versions prior to 1.25.1 and are fixed in that release. The content emphasizes operational risks for Windows networks, domain controllers, Pi-hole, VPN concentrators, and other environments relying on Unbound for recursive DNS resolution. Practical implications include service outages and the fragility of DNSSEC validation as a security boundary.
NLnet Labs disclosed CVE-2026-33278 on May 20, 2026, as a critical Unbound DNSSEC validation flaw affecting versions 1.19.1 through 1.25.0, with denial of service and possible remote code execution fixed in Unbound 1.25.1. The short version is simple: if you operate a validating recursive...
CVE-2026-42959 is a denial-of-service vulnerability disclosed in May 2026 in NLnet Labs Unbound, where malicious upstream DNSSEC validation content can crash the resolver and interrupt DNS service for clients that depend on it. The practical story is not remote code execution or data theft; it...