Unbound <1.25.1 DoS via Excess EDNS Options
CVE-2026-41292 Published on May 20, 2026
Long list of incoming EDNS options degrades performance
NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
Timeline
Issue reported by N0zoM1z0
NLnet Labs shares patch 1 day later.
N0zoM1z0 verifies patch 1 day later.
Issue also reported by Qifan Zhang 103 days later.
NLnet Labs shares same patch 2 days later.
Qifan Zhang verifies patch 1 day later.
Fixes released with version 1.25.1 21 days later.
Weakness Types
Inefficient Algorithmic Complexity
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Products Associated with CVE-2026-41292
Want to know whenever a new CVE is published for Nlnetlabs Unbound? stack.watch will email you.
Affected Versions
NLnet Labs Unbound:- Before 1.25.1 is affected.