Microsoft’s Security Response Center has published details of CVE-2026-42923, a degradation-of-service vulnerability in NLnet Labs Unbound, the widely used open-source DNS recursive resolver. Disclosed on May 20, 2026, the flaw allows an attacker to degrade resolver performance by exploiting how Unbound validates DNSSEC‑signed zones that use NSEC3 with excessive hash iterations.

Unbound is a high-performance, validating, recursive, and caching DNS resolver used on millions of servers worldwide. It powers internet security by authenticating DNS responses using DNSSEC. Many Windows administrators deploy Unbound on Windows Server or Windows 10/11 clients as an alternative to the native Windows DNS client or to add enterprise-grade DNSSEC validation. Microsoft’s listing of this CVE signals that the vulnerability is relevant to Windows environments, likely through Unbound instances running on Windows, or possibly via inclusion in Microsoft products that bundle Unbound.

The heart of the issue lies in NSEC3, a DNSSEC mechanism for authenticated denial of existence. When a queried name does not exist in a signed zone, the nameserver returns an NSEC3 record that cryptographically proves the absence without revealing a complete zone listing. NSEC3 uses iterative hashing – the number of iterations is set by the zone administrator as a parameter. Valid resolvers must perform that many hash operations to verify the proof. A maliciously crafted zone can specify an extremely high iteration count, up to 2,500 iterations per the RFC originally, but implementations may accept far larger values. An attacker who controls a DNSSEC‑signed zone, or who can poison a cache with such records, can force any validating resolver that queries that zone to spend excessive CPU cycles on fruitless hash calculations.

CVE-2026-42923 specifically arises because Unbound does not adequately limit the time or iterations spent on NSEC3 validation. By sending a steady stream of queries that trigger these expensive validations, an attacker can saturate CPU cores, slowing down legitimate DNS resolution and causing service degradation. In severe cases, the resolver may become completely unresponsive, effectively resulting in a denial of service. This is particularly dangerous for public resolvers or large enterprise deployments where a single overloaded resolver can disrupt connectivity for thousands of users.

The impact on Windows‑based networks is twofold. First, any Windows machine running Unbound as a local resolver or forwarder is vulnerable until updated. Second, if an organization uses a Windows server as an authoritative DNS server that forwards to Unbound, the degradation can ripple through the whole infrastructure. Microsoft advisories often cover third‑party software when it affects the Windows ecosystem or when they become aware of active exploits. As of now, there are no confirmed reports of in‑the‑wild exploitation, but the publication of this CVE suggests that details were shared with Microsoft under coordinated vulnerability disclosure, possibly by NLnet Labs themselves.

Mitigation before a patch is deployed involves several strategies. Administrators can configure Unbound to set a low maximum NSEC3 iteration count using the harden‑nsec3‑iterations option. A value of 100 or even 50 drastically reduces CPU consumption while maintaining compatibility with virtually all legitimate DNSSEC zones. For additional protection, rate limiting of incoming queries per client (with ratelimit) and enabling aggressive‑nsec caching can alleviate the load. Network‑level defenses such as limiting the rate of queries from a single source IP to the resolver also help blunt an attack.

NLnet Labs, the maintainer of Unbound, is expected to release a security patch that enforces a stricter upper bound on NSEC3 iterations and introduces a configurable timeout for validation tasks. The patch may also refine the logic to reject responses that exceed a reasonable iteration count without attempting full validation. The advisory from NLnet Labs will likely carry a dedicated security announcement on their mailing list and website.

Microsoft has not issued a Windows update specifically for this CVE, as the vulnerability does not reside in Windows code. However, they may release an update to their own products that use Unbound internally if any exist. Users who installed Unbound via package managers like Chocolatey or directly from NLnet Labs should watch for a new release and apply it immediately. On Windows, updating Unbound typically means downloading the latest binary and replacing the existing executable, then restarting the service.

The discovery of CVE-2026-42923 underscores a persistent tension in DNSSEC: the need for cryptographically strong denial of existence against the risk of resource exhaustion. NSEC3 was designed to prevent zone walking, but its hash iterations can be weaponised. Future RFC updates might mandate lower default iteration caps, but zone operators and resolver implementors must already balance security with performance. This vulnerability is part of a broader class of algorithmic complexity attacks against DNS resolvers, including similar weaknesses that have been patched in BIND, Knot Resolver, and PowerDNS.

Looking ahead, the DNS community is exploring NSEC5 and other alternatives that offer stronger privacy without the computational burden. For now, the pragmatic advice is clear: keep Unbound updated, tune your configuration defensively, and monitor resource usage closely. The CVE-2026-42923 advisory serves as a reminder that even foundational internet technologies need continuous scrutiny against evolving threats.