Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
Published: 2026-05-20
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when Unbound processes DNS queries that contain an unusually large number of EDNS options. Each query forces Unbound to parse and construct internal data structures for every option, which can consume excessive memory and CPU resources. When an attacker sends a high‑volume stream of such queries, the server’s threads become occupied while parsing, leading to a degradation of service or a full denial of service for legitimate clients.

Affected Systems

This issue affects NLnet Labs Unbound, specifically all releases through version 1.25.0 and earlier. Users running these versions are susceptible if they receive DNS traffic from untrusted networks. The patch that limits the number of accepted EDNS options is implemented in Unbound 1.25.1.

Risk and Exploitability

The CVSS base score of 6.6 indicates moderate severity. The EPSS score is not available, so the current exploitation probability cannot be quantified, but the fact that the vulnerability can be triggered over the network suggests a realistic threat. Since the vulnerability remains absent from the CISA KEV catalog, it has not been documented as a widely exploited weakness yet. The attack path is a straightforward network‑based attack where an adversary sends crafted DNS queries with more than the allowed EDNS options, causing Unbound threads to hang during parsing.

Generated by OpenCVE AI on May 20, 2026 at 11:24 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade to Unbound 1.25.1 or later to enforce the EDNS option limit.
  • If immediate upgrade is not possible, implement network filtering to reject DNS queries containing an excessively large number of EDNS options or reduce overall query rate.
  • Enable logging and monitoring of EDNS option counts to detect anomalous traffic patterns.

Generated by OpenCVE AI on May 20, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
Title Long list of incoming EDNS options degrades performance
Weaknesses CWE-407
CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:11:23.425Z

Reserved: 2026-05-07T10:13:43.992Z

Link: CVE-2026-41292

cve-icon Vulnrichment

Updated: 2026-05-20T12:11:18.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:27.327

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-41292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses