CVE-2026-41292
Analyzed Analyzed - Analysis Complete
Denial of Service in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-41292
EUVD
EUVD-2026-31078
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs unbound to 1.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41292 is a vulnerability in the Unbound DNS software up to version 1.25.0 where an attacker can send queries containing an excessive number of EDNS options.

This causes Unbound threads to become occupied while parsing and creating internal data structures for these options, effectively holding the threads hostage.

As a result, the system can experience degradation of service or even denial of service.

The vulnerability was fixed in Unbound version 1.25.1 by limiting the acceptable number of incoming EDNS options to 100.

Impact Analysis

This vulnerability can impact you by causing degradation or denial of service on systems running vulnerable versions of Unbound DNS software.

An attacker can exploit this by sending specially crafted queries with too many EDNS options, which will occupy Unbound threads and slow down or disrupt DNS resolution services.

This can lead to reduced availability of DNS services, potentially affecting network operations and dependent applications.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-41292 in Unbound DNS software, you should upgrade Unbound to version 1.25.1 or later, which contains a patch limiting the acceptable number of incoming EDNS options to 100.

Alternatively, if upgrading is not immediately possible, you can apply a manual patch to your existing Unbound 1.25.0 installation to limit the number of incoming EDNS options.

Detection Guidance

This vulnerability involves Unbound DNS servers being overwhelmed by queries containing an excessive number of EDNS options, which can degrade service or cause denial of service.

To detect this vulnerability on your network or system, you can monitor DNS traffic for queries that contain unusually large or excessive numbers of EDNS options.

While no specific commands are provided in the resources, a general approach would be to use network packet capture tools such as tcpdump or Wireshark to filter and inspect DNS queries for EDNS options.

  • Use tcpdump to capture DNS traffic and filter for EDNS options: tcpdump -i <interface> 'udp port 53'
  • Analyze captured packets in Wireshark and filter for DNS queries with EDNS options (look for OPT pseudo-records and count the options).
  • Check Unbound server logs for any unusual delays or thread occupancy related to DNS query processing.

Upgrading Unbound to version 1.25.1 or later is recommended to mitigate this issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart