NLnet Labs disclosed CVE-2026-42534 on May 20, 2026, a medium-severity vulnerability in the Unbound DNS resolver that allows attackers to degrade DNS performance on Windows networks. The flaw, present in Unbound versions up to and including 1.25.0, exploits a weakness in the resolver's jostle logic, enabling repeated duplicate queries to bypass a critical congestion-control mechanism. Windows administrators relying on Unbound for internal DNS resolution or as a validating resolver should patch immediately to prevent service slowdowns and potential denial-of-service conditions.

What is Unbound and Why Does It Matter on Windows?

Unbound is a widely used open-source recursive DNS resolver known for its speed, DNSSEC validation, and low memory footprint. While not a default Windows component, many enterprises deploy Unbound on Windows servers as a caching resolver to improve DNS performance and security. It integrates with Active Directory environments, offloads external queries from domain controllers, and serves as a forwarder for internal DNS traffic. When Unbound stumbles, every DNS-dependent application—from web browsers to VPN clients—feels the lag.

Understanding Jostle Logic in DNS Resolvers

Jostle logic is a core optimization in recursive resolvers. When multiple clients request the same domain name simultaneously, the resolver queues the first query and sends it upstream, while holding back subsequent identical queries. Once the answer arrives, it is served to all waiting clients. This prevents query amplification and shields both the resolver and authoritative servers from floods of redundant traffic. Without jostle logic, a spike in duplicate queries can force the resolver to process each one individually, consuming CPU cycles, memory, and network bandwidth.

How CVE-2026-42534 Bypasses Jostle Logic

The bug resides in Unbound's internal query-state management. Under specific conditions, a sequence of repeated DNS requests for the same name can slip past the jostle check. Instead of detecting that an identical query is already in flight, the resolver treats each duplicate as a fresh request and forwards it upstream. This flaw does not require authentication or network position beyond the ability to send DNS packets to the Unbound service. An attacker on the local network or a compromised internal host can easily launch a stream of duped queries, quickly exhausting resolver resources.

From Duplicate Queries to Slow DNS: The Real-World Impact

The immediate result is query amplification. What should be one outbound request to an authoritative server becomes dozens or hundreds, depending on the attacker's rate. This wastes upstream bandwidth and may cause rate-limiting or blacklisting at critical DNS infrastructure. On the Windows host running Unbound, CPU and memory usage climb as the resolver tries to track each duplicate query's state. Legitimate DNS requests get delayed, and timeouts become common. Users experience this as web pages that hang on "resolving host," authentication failures, or sluggish network applications.

Why Windows Networks Are Particularly Vulnerable

Windows environments often trigger many simultaneous DNS lookups for the same record—think of hundreds of workstations rebooting and re-registering their names, or a domain-joined device trying to locate a domain controller. A resolver with broken jostle logic will amplify these routine bursts, turning normal behavior into a self-inflicted slowdown. An attacker who understands this pattern can time their duplicate queries to coincide with peak login hours or patch management windows, maximizing disruption.

Affected Software and the Fix

CVE-2026-42534 affects Unbound 1.0.0 through 1.25.0. NLnet Labs released Unbound 1.25.1 on the same day the CVE was published, which tightens the jostle guard to reject duplicates that arrive after the initial query is in progress. The patch introduces a hash-based deduplication table that survives rapid query floods, ensuring that only one instance of a given question remains active. Administrators should upgrade to Unbound 1.25.1 or later immediately.

Workarounds for Immediate Mitigation

If an immediate upgrade is not possible, consider these temporary measures:
- Rate limit inbound DNS traffic using Windows Firewall or third-party tools to throttle query sources.
- Enable Unbound’s qname-minimisation option to reduce the exposure surface, though this does not directly fix the jostle flaw.
- Deploy a second resolver in front of Unbound that can filter duplicate queries, such as a simple load balancer with query deduplication.
- Monitor Unbound metrics closely for spikes in the num.query.duplicate counter and alerts on CPU load.

Assessing the Severity: Medium but Meriting Urgent Attention

CVSS 3.1 scores the vulnerability at 5.3 (Medium), driven by its network attack vector, low complexity, and lack of required privileges. However, the real-world impact on DNS availability can be high, especially in networks where Unbound is a single point of failure. Windows shops that rely on DNS-intensive applications—VoIP, cloud synchronization, remote desktop—may see severe operational degradation. Treat this CVE as a high priority for any Unbound deployment on Windows.

The Bigger Picture: DNS Resolver Security in 2026

This incident highlights a growing trend: attackers are targeting infrastructure components like DNS resolvers that were rarely scrutinized in the past. With the rise of encrypted DNS protocols (DoT, DoH) and the central role of DNS in zero-trust architectures, a single resolver weakness can ripple across an entire organization. Administrators should treat DNS software with the same rigor as web servers or databases, applying patches promptly and testing changes in a lab before rollout.

Steps to Patch Unbound on Windows

  1. Download the latest Windows binary from the NLnet Labs website or use a package manager like Chocolatey if available.
  2. Stop the Unbound service: net stop unbound (if running as a service).
  3. Replace the unbound.exe and associated DLLs, preserving your unbound.conf.
  4. Restart the service and verify with unbound-control status.
  5. Test DNS resolution performance with tools like dig or nslookup before returning to production.

Community Feedback and Verified Workarounds

Discussion on the Unbound mailing list confirms that enabling the so-reuseport: yes option does not mitigate the jostle bypass. Some users report that setting num-queries-per-thread: 512 lowered the impact by capping parallel queries, but a full fix requires the code patch. Windows-specific forums note that version 1.25.1 resolves all observed delays in Active Directory environments where Unbound was acting as a forwarder.

CVE-2026-42534 is a reminder that even time-tested DNS software can harbor subtle bugs with outsized consequences. For Windows administrators, the message is clear: check your Unbound version today, and upgrade if you're on 1.25.0 or older. The fix takes minutes; the alternative is a network that grinds to a crawl under a storm of duplicate queries.