CVE-2026-42944
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red
Summary
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| NLnet Labs | Unbound | 1.14.0 < 1.25.1 | affected |
Weaknesses
- CWE-197: CWE-197: Numeric Truncation Error
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
Additional References
- https://access.redhat.com/security/cve/CVE-2026-42944
- https://bugzilla.redhat.com/show_bug.cgi?id=2479774
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42944.json
- https://access.redhat.com/errata/RHSA-2026:23231
- https://access.redhat.com/errata/RHSA-2026:24365
- https://access.redhat.com/errata/RHSA-2026:24369
- https://access.redhat.com/errata/RHSA-2026:19752
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.