Unbound 1.14.01.25.0 Heap Overflow via EDNS Options
CVE-2026-42944 Published on May 20, 2026

Heap overflow with multiple NSID, COOKIE, PADDING EDNS options
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.

Vendor Advisory NVD

Timeline

2026-04-26

Issue reported by Qifan Zhang

2026-04-28

NLnet Labs shares patch 2 days later.

2026-04-29

Qifan Zhang verifies patch 1 day later.

2026-05-20

Fixes released with version 1.25.1 21 days later.

Weakness Types

Numeric Truncation Error

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion. When a primitive is cast to a smaller primitive, the high order bits of the large value are lost in the conversion, potentially resulting in an unexpected value that is not equal to the original value. This value may be required as an index into a buffer, a loop iterator, or simply necessary state data. In any case, the value cannot be trusted and the system will be in an undefined state. While this method may be employed viably to isolate the low bits of a value, this usage is rare, and truncation usually implies that an implementation error has occurred.

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2026-42944 has been classified to as a Memory Corruption vulnerability or weakness.

Products Associated with CVE-2026-42944

Want to know whenever a new CVE is published for Nlnetlabs Unbound? stack.watch will email you.

Nlnetlabs Unbound

Affected Versions

NLnet Labs Unbound:

Version 1.14.0 and below 1.25.1 is affected.