CVE-2026-42923
mediumCVSS v3 Base Score
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.1%
Exploitation probability in 30 days
Top 82% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
None
Availability
Low
Published: May 20, 2026 (51 days ago)
Last Modified: May 20, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in Unbound's DNSSEC validator where the code path for consulting the negative cache for DS records does not honor the limit on NSEC3 hash calculations introduced in version 1.19.1. An adversary who controls a DNSSEC-signed zone can sign NSEC3 records with high iteration counts for child delegations, causing Unbound to perform excessive hash computations while holding a global lock on the negative cache. This temporarily blocks other resolver threads from accessing the negative cache, leading to degraded DNS resolution performance for the duration of the attack.
CWE
CWE-400Affected Products
Red Hat Enterprise Linux 10Red Hat Enterprise Linux 6Red Hat Enterprise Linux 7Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9Red Hat OpenShift Container Platform 4Red Hat Hardened Images