CVE-2026-41292

Summary

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

Affected Software

VendorProductVersion RangeStatus
NLnet LabsUnbound0 < 1.25.1affected

Weaknesses

  • CWE-407: CWE-407: Inefficient Algorithmic Complexity
  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

unbound: Unbound: Denial of Service via excessive EDNS options

Additional References

References