CVE-2026-41292
Denial of Service in Unbound DNS Server
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: NLnet Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nlnet_labs | unbound | to 1.25.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41292 is a vulnerability in the Unbound DNS software up to version 1.25.0 where an attacker can send queries containing an excessive number of EDNS options.
This causes Unbound threads to become occupied while parsing and creating internal data structures for these options, effectively holding the threads hostage.
As a result, the system can experience degradation of service or even denial of service.
The vulnerability was fixed in Unbound version 1.25.1 by limiting the acceptable number of incoming EDNS options to 100.
How can this vulnerability impact me? :
This vulnerability can impact you by causing degradation or denial of service on systems running vulnerable versions of Unbound DNS software.
An attacker can exploit this by sending specially crafted queries with too many EDNS options, which will occupy Unbound threads and slow down or disrupt DNS resolution services.
This can lead to reduced availability of DNS services, potentially affecting network operations and dependent applications.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability CVE-2026-41292 in Unbound DNS software, you should upgrade Unbound to version 1.25.1 or later, which contains a patch limiting the acceptable number of incoming EDNS options to 100.
Alternatively, if upgrading is not immediately possible, you can apply a manual patch to your existing Unbound 1.25.0 installation to limit the number of incoming EDNS options.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Unbound DNS servers being overwhelmed by queries containing an excessive number of EDNS options, which can degrade service or cause denial of service.
To detect this vulnerability on your network or system, you can monitor DNS traffic for queries that contain unusually large or excessive numbers of EDNS options.
While no specific commands are provided in the resources, a general approach would be to use network packet capture tools such as tcpdump or Wireshark to filter and inspect DNS queries for EDNS options.
- Use tcpdump to capture DNS traffic and filter for EDNS options: tcpdump -i <interface> 'udp port 53'
- Analyze captured packets in Wireshark and filter for DNS queries with EDNS options (look for OPT pseudo-records and count the options).
- Check Unbound server logs for any unusual delays or thread occupancy related to DNS query processing.
Upgrading Unbound to version 1.25.1 or later is recommended to mitigate this issue.