CVE-2026-42944
Heap Overflow in Unbound DNS Server
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: NLnet Labs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nlnet_labs | unbound | From 1.14.0 (inc) to 1.25.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-197 | Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42944 is a heap overflow vulnerability in the Unbound DNS software versions 1.14.0 up to and including 1.25.0. It occurs when multiple NSID, DNS Cookie, or EDNS Padding options are encoded in a reply packet. The vulnerability arises due to incorrect size calculation and lack of de-duplication of these EDNS options, which leads to an overflow of the heap memory and can cause the software to crash.
An attacker can exploit this vulnerability by sending specially crafted queries containing multiple EDNS options to a vulnerable Unbound server. The flaw is fixed in version 1.25.1 by adding patches that de-duplicate the EDNS options and correct the size calculation to prevent truncation.
How can this vulnerability impact me? :
This vulnerability can lead to a heap overflow in the Unbound DNS server, which may cause the server to crash. Such crashes can result in denial of service, disrupting DNS resolution services that rely on Unbound.
Additionally, because the heap overflow involves writing controlled data, it could potentially be leveraged by an attacker to execute arbitrary code or further compromise the system, depending on the environment and exploitability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or malformed DNS queries that include multiple NSID, DNS Cookie, or EDNS Padding options, as these are required to exploit the heap overflow.
Specifically, detection involves identifying DNS queries sent to Unbound servers that contain multiple EDNS options such as 'nsid', 'answer-cookie', and 'pad-responses'.
While no explicit commands are provided in the resources, network administrators can use packet capture tools like tcpdump or Wireshark to filter DNS queries with multiple EDNS options.
- Use tcpdump to capture DNS traffic: tcpdump -i <interface> -n port 53
- Analyze captured packets in Wireshark to look for DNS queries containing multiple EDNS options (NSID, DNS Cookie, EDNS Padding).
- Check Unbound logs for crashes or unusual behavior that may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Unbound to version 1.25.1 or later, which contains patches that fix the vulnerability by de-duplicating EDNS options and correcting the size calculation to prevent heap overflow.
If upgrading immediately is not possible, applying manual patches that address the de-duplication of EDNS options and the EDNS field size calculation truncation can mitigate the risk.
Additionally, consider disabling or restricting the use of the relevant EDNS options ('nsid', 'answer-cookie', 'pad-responses') if they are not required in your environment to reduce the attack surface.