Skip to main content

NLnet Labs Unbound EUVDEUVD-2026-31078

| CVE-2026-41292 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-05-20 sep@nlnetlabs.nl GHSA-2wvj-gvc7-gfhx
6.6
CVSS 4.0 · Vendor: nlnetlabs
Share

Severity by source

Vendor (nlnetlabs) PRIMARY
6.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (nlnetlabs).

CVSS VectorVendor: nlnetlabs

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:33 vuln.today

DescriptionCVE.org

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

AnalysisAI

Unbound DNS resolver versions up to and including 1.25.0 allow remote unauthenticated attackers to degrade or deny service by sending DNS queries carrying abnormally large numbers of EDNS options, causing resolver threads to become occupied with unbounded parsing and internal data structure allocation. Coordinated multi-source attacks amplify thread exhaustion into full denial of service for legitimate DNS clients. No public exploit identified at time of analysis; vendor-released patch is available in Unbound 1.25.1, which enforces a hard cap of 100 incoming EDNS options.

Technical ContextAI

Unbound is an open-source validating, recursive, and caching DNS resolver maintained by NLnet Labs. EDNS (Extension Mechanisms for DNS, RFC 6891) extends the base DNS protocol by allowing additional option fields to be carried in queries and responses. The vulnerability stems from Unbound's failure to bound the number of EDNS options it will process per incoming query: for each option present, the resolver allocates and populates internal data structures before enforcing any limit. This maps directly to CWE-407 (Inefficient Algorithmic Complexity), where attacker-controlled input size drives unbounded computational work - thread time scales linearly (or worse) with option count. The affected product is NLnet Labs Unbound, all releases up to and including 1.25.0. No CPE string was supplied in the input, but the product is identifiable as cpe:2.3:a:nlnetlabs:unbound with version constraint ≤ 1.25.0.

RemediationAI

The primary and definitive fix is to upgrade to Unbound 1.25.1 or later, which patches the vulnerability by enforcing a hard limit of 100 incoming EDNS options per query, as documented at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt. For deployments where immediate upgrading is not feasible, a compensating control is to deploy an EDNS-aware DNS firewall or proxy upstream of Unbound configured to drop or truncate queries containing more than a threshold number of EDNS options; note that this requires EDNS-inspecting appliances and risks false positives against legitimate high-option queries. Additionally, restricting the resolver's listener to trusted client IP ranges (via Unbound's access-control: directives) eliminates attack surface from untrusted networks, at the cost of excluding open-resolver use cases. Rate-limiting inbound DNS queries per source IP at the firewall layer reduces coordinated flood effectiveness but does not eliminate single-source degradation.

CVE-2019-18934 HIGH POC
7.3 Nov 19

Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiv

CVE-2026-33278 CRITICAL
9.1 May 20

Use-after-free in the DNSSEC validator of NLnet Labs Unbound resolver versions 1.19.1 through 1.25.0 allows remote attac

CVE-2026-42959 HIGH
8.7 May 20

Remote denial of service in NLnet Labs Unbound recursive DNS resolver (versions up to and including 1.25.0) allows an at

CVE-2026-42944 HIGH
8.7 May 20

Heap overflow denial-of-service in NLnet Labs Unbound recursive DNS resolver versions 1.14.0 through 1.25.0 allows remot

CVE-2022-3204 HIGH
7.5 Sep 26

A vulnerability named 'Non-Responsive Delegation Attack' (NRDelegation Attack) has been discovered in various DNS resolv

CVE-2020-10772 HIGH
7.5 Nov 27

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020

CVE-2020-12663 HIGH
7.5 May 19

Unbound before 1.10.1 has an infinite loop via malformed DNS answers received from upstream servers. Rated high severity

CVE-2020-12662 HIGH
7.5 May 19

Unbound before 1.10.1 has Insufficient Control of Network Message Volume, aka an "NXNSAttack" issue. Rated high severity

CVE-2019-16866 HIGH
7.5 Oct 03

Unbound before 1.9.4 accesses uninitialized memory, which allows remote attackers to trigger a crash via a crafted NOTIF

CVE-2024-1488 HIGH
7.3 Feb 15

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound grou

CVE-2026-42534 MEDIUM
6.9 May 20

Resolution performance degradation in NLnet Labs Unbound 1.25.0 and earlier allows an unauthenticated remote attacker -

CVE-2026-44390 MEDIUM
6.9 May 20

Denial of service in NLnet Labs Unbound 1.25.0 and earlier allows remote unauthenticated attackers to exhaust CPU resour

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

EUVD-2026-31078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy