Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Published: 2026-05-20
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound versions 1.14.0 through 1.25.0 incorrectly calculate the size of EDNS options, allowing a crafted packet that contains multiple NSID, DNS Cookie, or EDNS Padding options to overflow the heap when encoded. This overflow writes Unbound‑controlled data and results in a crash of the server. The flaw does not provide code execution but can be used repeatedly to disrupt service availability for any client that can reach the resolver.

Affected Systems

The vulnerability affects NLnet Labs Unbound DNS resolver. All releases between 1.14.0 and 1.25.0, inclusive, are impacted. The issue is fixed in Unbound 1.25.1 and later releases.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. With no EPSS score reported and not listed in the CISA KEV catalog, exploitation is possible but the lack of published exploits means the attack surface depends on an attacker’s ability to send specially crafted queries. An attacker can target the resolver over the network and trigger the overflow by sending queries that enable the vulnerable EDNS options. The impact is a denial of service, and the vulnerability is exploitable remotely without authentication.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or newer, which removes duplicate EDNS options and corrects the size calculation.
  • If an upgrade is not feasible in the short term, disable the vulnerable EDNS options—NSID, answer-cookie, and pad-responses—through Unbound’s configuration to prevent the heap overflow.
  • Apply network filtering or firewall rules to limit the size or frequency of EDNS options sent to Unbound, thereby mitigating the risk of accidental or malicious overflow until a patch can be deployed.

Generated by OpenCVE AI on May 20, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Title Heap overflow with multiple NSID, COOKIE, PADDING EDNS options
Weaknesses CWE-197
CWE-787
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T13:38:17.529Z

Reserved: 2026-05-07T10:07:51.833Z

Link: CVE-2026-42944

cve-icon Vulnrichment

Updated: 2026-05-20T13:37:37.199Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:27.760

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-42944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses