NLnet Labs Unbound up to and including version 1.25.0 has a denial of service vulnerability in the DNSSEC validator that can lead to a crash given malicious upstream replies. When Unbound constructs chase-reply messages for validation, the code uses the wrong counter to calculate write offsets for ADDITIONAL section rrsets. DNAME duplication could increase the ANSWER section count and authority filtering could decrease the AUTHORITY section count and create an uninitialized array slot. Combining these two, the validator later dereferences this uninitialized pointer, causing an immediate process crash. An adversary controlling a DNSSEC-signed domain can trigger this bug with a single query by configuring a DNAME chain with unsigned CNAMEs and a response containing unsigned AUTHORITY records alongside signed ADDITIONAL glue records. Unbound 1.25.1 contains a patch with a fix to use the proper counters to calculate the write offsets.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-42959 is a denial of service vulnerability in NLnet Labs Unbound DNS resolver versions up to 1.25.0 that exploits improper memory handling in DNSSEC validation. The flaw occurs when Unbound processes chase-reply messages during DNSSEC validation, specifically when constructing responses with DNAME records and authority section filtering. An attacker can send specially crafted upstream DNS replies that trigger uninitialized array access, causing the resolver to crash. This affects organizations running vulnerable Unbound versions on recursive resolvers, authoritative nameservers, and DNS firewalls—essentially any infrastructure relying on this widely-deployed open-source DNS software for security validation.
While this CVE lacks direct MITRE ATT&CK technique mappings, Casky's extended reasoning capabilities would detect attack patterns consistent with T1498 (Network Denial of Service) through identification of crafted DNS protocol anomalies. Practitioners using Casky would observe findings related to malformed DNSSEC validation chains, unexpected DNAME duplication in DNS responses, and memory corruption indicators in resolver logs. The platform's 754 mapped security skills enable detection of the underlying root cause—CWE-824 (Access of Uninitialized Pointer)—by correlating DNS traffic patterns showing specific ADDITIONAL section misalignment with resolver crash events, allowing teams to pinpoint vulnerable instances before exploitation occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-42959. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation