CVE-2026-42944
Analyzed Analyzed - Analysis Complete
Heap Overflow in Unbound DNS Server

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-42944
EUVD
EUVD-2026-31085
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs unbound From 1.14.0 (inc) to 1.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-197 Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42944 is a heap overflow vulnerability in the Unbound DNS software versions 1.14.0 up to and including 1.25.0. It occurs when multiple NSID, DNS Cookie, or EDNS Padding options are encoded in a reply packet. The vulnerability arises due to incorrect size calculation and lack of de-duplication of these EDNS options, which leads to an overflow of the heap memory and can cause the software to crash.

An attacker can exploit this vulnerability by sending specially crafted queries containing multiple EDNS options to a vulnerable Unbound server. The flaw is fixed in version 1.25.1 by adding patches that de-duplicate the EDNS options and correct the size calculation to prevent truncation.

Impact Analysis

This vulnerability can lead to a heap overflow in the Unbound DNS server, which may cause the server to crash. Such crashes can result in denial of service, disrupting DNS resolution services that rely on Unbound.

Additionally, because the heap overflow involves writing controlled data, it could potentially be leveraged by an attacker to execute arbitrary code or further compromise the system, depending on the environment and exploitability.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or malformed DNS queries that include multiple NSID, DNS Cookie, or EDNS Padding options, as these are required to exploit the heap overflow.

Specifically, detection involves identifying DNS queries sent to Unbound servers that contain multiple EDNS options such as 'nsid', 'answer-cookie', and 'pad-responses'.

While no explicit commands are provided in the resources, network administrators can use packet capture tools like tcpdump or Wireshark to filter DNS queries with multiple EDNS options.

  • Use tcpdump to capture DNS traffic: tcpdump -i <interface> -n port 53
  • Analyze captured packets in Wireshark to look for DNS queries containing multiple EDNS options (NSID, DNS Cookie, EDNS Padding).
  • Check Unbound logs for crashes or unusual behavior that may indicate exploitation attempts.
Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Unbound to version 1.25.1 or later, which contains patches that fix the vulnerability by de-duplicating EDNS options and correcting the size calculation to prevent heap overflow.

If upgrading immediately is not possible, applying manual patches that address the de-duplication of EDNS options and the EDNS field size calculation truncation can mitigate the risk.

Additionally, consider disabling or restricting the use of the relevant EDNS options ('nsid', 'answer-cookie', 'pad-responses') if they are not required in your environment to reduce the attack surface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart