NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to poisoning via promiscuous records for the authority section. Promiscuous RRSets that complement DNS replies in the authority section can be used to trick Unbound to cache such records. If an adversary is able to attach such records in a reply (i.e., spoofed packet, fragmentation attack) he would be able to poison Unbound's cache. A malicious actor can exploit the possible poisonous effect by injecting RRSets other than NS that are also accompanied by address records in a reply, for example MX. This could be achieved by trying to spoof a reply packet or fragmentation attacks. Unbound would then accept the relative address records in the additional section and cache them if the authority RRSet has enough trust at this point, i.e., in-zone data for the delegation point. Unbound 1.25.1 contains a patch with a fix that disregards address records from the additional section if they are not explicitly relevant only to auth
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
NLnet Labs Unbound versions up to 1.25.0 contain a critical DNS cache poisoning vulnerability (CVSS 10.0) that allows attackers to inject malicious records into a resolver's cache through promiscuous RRSets in the authority section of DNS replies. This vulnerability affects organizations running vulnerable Unbound DNS resolvers, which are widely deployed in ISPs, enterprises, and hosting providers as authoritative and recursive DNS servers. By crafting spoofed or fragmented DNS packets containing specially crafted authority section records, an attacker can poison the resolver's cache with arbitrary data, causing it to serve incorrect DNS responses to all downstream clients. This enables large-scale DNS hijacking, phishing attacks, malware distribution, and man-in-the-middle attacks against all users relying on the compromised resolver.
While Casky.ai's security skill framework currently shows zero directly mapped MITRE ATT&CK techniques for this specific DNS cache poisoning variant, practitioners using Claude AI's extended reasoning capabilities would benefit from detection logic aligned with T1020 (Automated Exfiltration), T1584 (Compromise Infrastructure), and T1557 (Man-in-the-Middle) patterns. Defenders should monitor for: (1) unusual authority section records in DNS traffic that don't correspond to legitimate zone delegations, (2) correlated cache inconsistencies across recursive resolver instances, (3) fragmented DNS packets from unexpected sources, and (4) downstream clients receiving DNS responses that don't match authoritative sources. Practitioners would see findings highlighting suspicious DNS reply patterns, anomalous record injection attempts, and cache state divergence—enabling them to identify poisoning attacks before widespread impact occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-42960. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation