Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound versions 1.14.0 through 1.25.0 incorrectly calculate the size of EDNS options, allowing a crafted packet that contains multiple NSID, DNS Cookie, or EDNS Padding options to overflow the heap when encoded. This overflow writes Unbound‑controlled data and results in a crash of the server. The flaw does not provide code execution but can be used repeatedly to disrupt service availability for any client that can reach the resolver.

Affected Systems

The vulnerability affects NLnet Labs Unbound DNS resolver. All releases between 1.14.0 and 1.25.0, inclusive, are impacted. The issue is fixed in Unbound 1.25.1 and later releases.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. With no EPSS score reported and not listed in the CISA KEV catalog, exploitation is possible but the lack of published exploits means the attack surface depends on an attacker’s ability to send specially crafted queries. An attacker can target the resolver over the network and trigger the overflow by sending queries that enable the vulnerable EDNS options. The impact is a denial of service, and the vulnerability is exploitable remotely without authentication.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or newer, which removes duplicate EDNS options and corrects the size calculation.
  • If an upgrade is not feasible in the short term, disable the vulnerable EDNS options—NSID, answer-cookie, and pad-responses—through Unbound’s configuration to prevent the heap overflow.
  • Apply network filtering or firewall rules to limit the size or frequency of EDNS options sent to Unbound, thereby mitigating the risk of accidental or malicious overflow until a patch can be deployed.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6304-1 unbound security update
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Thu, 21 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 20 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs unbound
CPEs cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*
Vendors & Products Nlnetlabs
Nlnetlabs unbound
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Title Heap overflow with multiple NSID, COOKIE, PADDING EDNS options
Weaknesses CWE-197
CWE-787
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red'}

Subscriptions

Nlnetlabs Unbound
cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T13:38:17.529Z

Reserved: 2026-05-07T10:07:51.833Z

Link: CVE-2026-42944

cve-icon Vulnrichment

Updated: 2026-05-20T13:37:37.199Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T10:16:27.760

Modified: 2026-05-20T22:50:49.877

Link: CVE-2026-42944

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-20T11:33:22Z

Links: CVE-2026-42944 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:15:06Z

Weaknesses