A medium-severity DNSSEC validation flaw tracked as CVE-2026-42923 was disclosed in May 2026, affecting NLnet Labs Unbound recursive DNS resolver up to version 1.25.0. The vulnerability allows a remote attacker to cause a denial-of-service condition by sending specially crafted NSEC3 records that force excessive hash computations on the target server. Windows administrators who rely on Unbound as their validating resolver need to patch immediately.

Unbound is a widely used open-source recursive, caching, and validating DNS resolver that runs natively on Windows clients and servers. It frequently serves as an upstream validator for Windows DNS Server or as a local DNSSEC-validating stub resolver on domain controllers and other critical infrastructure. Its strict adherence to DNSSEC standards makes it a popular choice for environments requiring enhanced security against DNS spoofing and cache poisoning.

Understanding the NSEC3 hash overload

DNSSEC uses NSEC3 records to provide authenticated denial of existence for non-existent domain names. Unlike simple NSEC records, which list adjacent domain names, NSEC3 hashes each name and sorts them to prevent easy zone enumeration. A resolver performing wildcard validation must compute these cryptographic hashes to verify the chain of trust.

In CVE-2026-42923, a malicious authoritative server can craft NSEC3 responses that contain extremely high iteration counts and lengthy salt values. When Unbound processes such a response, it enters a tight loop performing iterative SHA-1 computations—up to millions of hashes per query—without imposing adequate limits. Because the calculations are CPU-intensive and single-threaded for each query, a stream of such crafted responses can exhaust processor resources, degrading or halting DNS resolution for all clients.

Impact on Windows environments

For Windows administrators, the risk is tangible. Many organizations deploy Unbound as a service on Windows Server 2022 or Windows 11 to enforce DNSSEC validation for Active Directory integrated zones or to offload validation from forwarders. In a typical architecture, all internal client queries hit Unbound, which then recurses to the internet. If an attacker can cause Unbound to stall while processing poisoned NSEC3 records, every DNS-dependent service—from logon authentication to email delivery—can grind to a halt.

Even a single public-facing recursive resolver running Unbound on Windows can become the target of such an attack. Because the vulnerability does not require a privileged network position or man-in-the-middle access, any remote authoritative server contacted during recursion can trigger the hash overload simply by responding with a malicious NSEC3 record. This turns Unbound into an unintended amplification point, where a few packets can cause sustained CPU exhaustion.

Mitigation and patching

NLnet Labs released a patch that enforces hard limits on NSEC3 hash iterations and salt length, capping them to acceptable values as recommended in RFC 9276. Additionally, the fix introduces early bailout logic that aborts validation if the computational cost exceeds a threshold.

Windows administrators should immediately upgrade Unbound to a patched version. While the exact version number was not specified in early disclosures, versions after 1.25.0 contain the fix. It is strongly recommended to download the latest Windows binary from the official NLnet Labs repository or compile from source. After updating, verify the installation by running unbound -V and checking that the version is greater than 1.25.0.

If an immediate upgrade is not feasible, a partial workaround exists: configure Unbound to disable DNSSEC validation for the affected zones—though this is rarely practical and undermines security. A better short-term measure is to restrict recursion to only trusted upstream resolvers that are known to perform their own validation, such as Quad9 (9.9.9.9) or Google DNS (8.8.8.8), which filter out malformed DNSSEC records. This can be done via the forward-zone option in unbound.conf. However, even with forwarding, Unbound will still validate responses from the forwarder, so the vulnerability remains exploitable if the forwarder relays crafted records. The only guaranteed fix is the update.

Applying the fix on Windows

Updating Unbound on Windows is straightforward. Download the latest zip archive from the NLnet Labs website, stop the Unbound service with net stop unbound, unpack the archive replacing the existing binaries (typically in C:\Program Files\Unbound), and restart the service. If running as a Docker container, pull the latest image tag. For AD-integrated deployments where Unbound runs on domain controllers, schedule a maintenance window; a service restart is required.

After applying the update, administrators should monitor CPU utilization and DNS query logs for any lingering anomalies. Tools like PerfMon can track unbound.exe processor time; a sudden drop after patching indicates the fix is working. It is also prudent to test DNSSEC validation with tools like delv or dig +dnssec to ensure the resolver is functioning correctly.

Broader lessons for Windows DNS security

CVE-2026-42923 highlights the inherent tension between strict standards compliance and operational resilience. Windows DNS Server itself includes a DNSSEC validator, but many organizations opt for Unbound because of its transparency and frequent security audits. This incident shows that even well-audited software can fall victim to algorithmic complexity attacks when parsing untrusted input.

For Windows administrators, the takeaway is clear: diversify your defensive layers. Use multiple validating resolvers in parallel, implement central DNS firewall policies, and keep recursive resolver software updated with the same rigor as operating systems. The patch for CVE-2026-42923 is simple to apply, but the underlying class of vulnerability demands ongoing vigilance—especially as DNSSEC adoption grows and threat actors refine their techniques.

Quick reference for affected versions

Product Affected Version Fixed Version
NLnet Labs Unbound ≤ 1.25.0 > 1.25.0 (latest)

Check the official NLnet Labs advisory for the exact fixed release number.

Further reading

Stay ahead of emerging threats to your Windows DNS infrastructure by applying this critical fix without delay.