Is there a patch available for CVE-2026-41292?

Yes, a patch is available for CVE-2026-41292. Update the affected software to the latest version immediately.

NLnet Labs Unbound CVE-2026-41292

Q: What is the CVSS score of CVE-2026-41292?

CVE-2026-41292 has a CVSS 4.0 base score of 6.6 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red. EPSS exploitation probability: 0.0%.

EUVD-2026-31078 MEDIUM

Inefficient Algorithmic Complexity (CWE-407)

2026-05-20 sep@nlnetlabs.nl

GHSA-2wvj-gvc7-gfhx

Denial Of Service Suse

6.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

May 20, 2026 - 11:02 EUVD

Analysis Generated

May 20, 2026 - 10:33 vuln.today

DescriptionNVD

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

AnalysisAI

Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny service by sending DNS queries carrying abnormally large numbers of EDNS options, causing resolver threads to become occupied with unbounded parsing and internal data structure allocation. Coordinated multi-source attacks amplify thread exhaustion into full denial of service for legitimate DNS clients. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-41292 vulnerability details – vuln.today

Back

NLnet Labs Unbound CVE-2026-41292

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

NLnet Labs Unbound CVE-2026-41292

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code