Skip to main content

NLnet Labs Unbound CVE-2026-42944

| EUVDEUVD-2026-31085 HIGH
Numeric Truncation Error (CWE-197)
2026-05-20 sep@nlnetlabs.nl GHSA-7mmq-q3m9-jrv7
8.7
CVSS 4.0 · Vendor: nlnetlabs
Share

Severity by source

Vendor (nlnetlabs) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (nlnetlabs).

CVSS VectorVendor: nlnetlabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:30 vuln.today

DescriptionCVE.org

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.

AnalysisAI

Heap overflow denial-of-service in NLnet Labs Unbound recursive DNS resolver versions 1.14.0 through 1.25.0 allows remote unauthenticated attackers to crash the resolver by sending DNS queries containing multiple NSID, DNS Cookie, and/or EDNS Padding options. The flaw stems from a numeric truncation in EDNS field size calculation that lets attacker-influenced data overflow the response buffer. No public exploit identified at time of analysis and not listed in CISA KEV, but the impact is service-wide DNS outage for any user of an affected resolver.

Technical ContextAI

Unbound is a widely deployed validating, recursive, caching DNS resolver maintained by NLnet Labs and used in many Linux distributions, BSD systems, and DNS appliances. The vulnerability is rooted in CWE-197 (Numeric Truncation Error) in the EDNS (Extension Mechanisms for DNS, RFC 6891) option encoding path: when the resolver constructs reply packets containing multiple NSID (RFC 5001), DNS Cookie (RFC 7873), or EDNS Padding (RFC 7830) options, a size calculation truncates to a smaller integer width than the actual encoded length. The encoder then writes past the heap allocation it was sized for, producing a heap buffer overflow write of Unbound-controlled data that leads to a process crash. The affected option emitters are only reached when the 'nsid', 'answer-cookie', or 'pad-responses' configuration options are active; 'pad-responses' is enabled by default, making default deployments reachable.

RemediationAI

Vendor-released patch: upgrade to Unbound 1.25.1, which both de-duplicates EDNS options and corrects the truncated size calculation in the EDNS field encoder - see https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt. If immediate upgrade is not possible, the trigger surface can be removed by disabling the three affected response options: set 'pad-responses: no' (default is yes, so this is the most impactful workaround - note it eliminates response padding that helps obscure DNS-over-TLS/HTTPS message lengths from on-path observers), ensure 'nsid:' is unset or empty, and set 'answer-cookie: no' (this disables DNS Cookie protection against off-path spoofing and reflection, a real trade-off for resolvers that previously relied on it). Network-layer compensating controls - restricting which clients can query the resolver via access-control lists or firewall rules - reduce exposure on internal resolvers but do not help open or ISP-facing deployments.

CVE-2019-18934 HIGH POC
7.3 Nov 19

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiv

CVE-2026-33278 CRITICAL
9.1 May 20

Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attac

CVE-2026-42959 HIGH
8.7 May 20

Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an at

CVE-2022-3204 HIGH
7.5 Sep 26

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolv

CVE-2020-10772 HIGH
7.5 Nov 27

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020

CVE-2020-12663 HIGH
7.5 May 19

Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. Rated high severity

CVE-2020-12662 HIGH
7.5 May 19

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. Rated high severity

CVE-2019-16866 HIGH
7.5 Oct 03

Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIF

CVE-2024-1488 HIGH
7.3 Feb 15

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound grou

CVE-2026-42534 MEDIUM
6.9 May 20

Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker -

CVE-2026-44390 MEDIUM
6.9 May 20

Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resour

CVE-2026-41292 MEDIUM
6.6 May 20

Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny servi

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-42944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy