GHSA-xfcv-gp55-3wpf · 深刻度: medium — NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic...
NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic that could defeat its purpose and degrade resolution performance. Retransmits of the same query could renew the age of slow running queries and not allow the jostle logic to see them as aged and potential targets for replacement with new queries. An adversary who can query a vulnerable Unbound and who can control a domain name server that replies slowly and/or maliciously to Unbound's queries can exploit the vulnerability and degrade the resolution performance of Unbound. When Unbound's 'num-queries-per-thread' reaches its limit, the jostle logic kicks in. When a new query comes in, half of the available queries that are also slow to resolve are candidates for replacement. The vulnerability then happens because duplicate queries that need resolution would skew the aging result by using the timestamp of the latest duplicate query instead of the original one that started the resolution effort. Cache and local data response performance remains unaffected. Coordinated attacks could raise this to a denial of resolution service. Unbound 1.25.1 contains a patch with a fix to attach an initial, non-updatable start time for incoming queries that allow the jostle logic to work as intended.
総合評価: CVE-2026-42534 は中リスク(41.8/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 0.52%、40 パーセンタイル) 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-30 | 0.35% | 0.52% | +0.17% |
| 2 | 2026-06-15 | 0.04% | 0.35% | +0.31% |
| 3 | 2026-05-20 | — | 0.04% | — |
EPSS の全履歴 (全 3 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 6.9 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 5.3 | 3.1 | MEDIUM |
|
3.9 | 1.4 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c |
GHSA-xfcv-gp55-3wpf · 深刻度: medium — NLnet Labs Unbound up to and including version 1.25.0 has a vulnerability in the jostle logic...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-42534 not yet assigned priority: Debian including 1 source packages (unbound), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2. | https://security-tracker.debian.org/tracker/CVE-2026-42534 |
suse
|
medium | CVE-2026-42534 severity moderate: SUSE including 10 source package names (latest:rsync-3.2.7-5.1, libunbound8-1.20.0-150100.10.25.1, …), 62 product×package rows across 30 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (30 product lines)): First Fixed 49, Fixed 13. | https://www.suse.com/security/cve/CVE-2026-42534/ |
ubuntu
|
medium | CVE-2026-42534 medium priority: Ubuntu including 1 source packages (unbound), 9 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): needs-triage 5, released 4. | https://ubuntu.com/security/CVE-2026-42534 |