Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-42960 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-42960 | CVSS 10.0 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-42960 is a DNS cache poisoning vulnerability in NLnet Labs Unbound, a widely deployed validating, recursive DNS resolver, affecting all versions up to and including 1.25.0, caused by improper handling of promiscuous resource record sets in DNS reply authority sections.

Technical Detail

The flaw arises because Unbound accepts and caches RRSets in the authority section of DNS responses without sufficiently validating their relevance or ownership relative to the queried domain, a condition known as promiscuous record acceptance. An attacker positioned to inject or influence DNS responses, such as through a malicious or compromised authoritative server, can supply out-of-bailiwick records that Unbound will store in its cache, allowing subsequent queries to be resolved with attacker-controlled data. The practical impact is DNS cache poisoning, which can redirect users and systems to attacker-controlled infrastructure, enabling credential theft, traffic interception, or further exploitation of downstream services.

Exploitation Status

No known exploit code has been identified for this vulnerability at this time. The exploit maturity is assessed as none. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Despite the CVSS 10.0 critical score, there is no confirmed public proof-of-concept or evidence of active exploitation in the wild as of May 27, 2026.

Who Is Targeting This

Confirmed (ATTAX-verified): LuminousMoth (origin: China, motivation: nation-state), Cleaver (origin: Iran, motivation: nation-state), LAPSUS$ (origin: unconfirmed, motivation: unknown), and Sea Turtle (origin: unconfirmed, motivation: unknown). The presence of Sea Turtle is particularly notable given that group's established history of DNS hijacking operations. No additional reported or research-inferred actor associations are on record beyond those confirmed above.

What To Do

Operators running NLnet Labs Unbound should prioritize upgrading to a patched release beyond version 1.25.0 as soon as one is made available by NLnet Labs; monitor the official Unbound release channel and security advisories at nlnetlabs.nl for patch availability. In the interim, administrators should enforce strict bailiwick checking if configurable within the deployment environment, restrict recursive resolver access to trusted clients only, and consider enabling DNSSEC validation to reduce the effectiveness of cache poisoning attempts. Network defenders should monitor DNS resolver logs for anomalous authority section records, unexpected TTL values, or resolution results that diverge from known-good baselines. Given confirmed interest from DNS-focused threat actors including Sea Turtle and LuminousMoth, organizations in government, telecommunications, and critical infrastructure sectors should treat this as a high-priority remediation item regardless of the absence of active exploitation evidence.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →