CVE-2026-41292

CVE-2026-41292

Name

CVE-2026-41292

Description

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
sep@nlnetlabs.nl	https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt

Type

URI

sep@nlnetlabs.nl

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nlnetlabs:unbound::::::::`	unbound	>= None	< 1.25.1

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*

unbound

>= None

< 1.25.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
unbound	edge-main	1.25.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
unbound	edge-main	1.25.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.24.2-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.24.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.24.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.24.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.23.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.23.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.23.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.23.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.23.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.22.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.21.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.20.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.19.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.19.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.16.3-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.16.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	edge-main	1.10.1-r0	None	possibly vulnerable
unbound	edge-main	1.9.5-r0	None	possibly vulnerable
unbound	edge-main	1.9.4-r0	None	possibly vulnerable
unbound	3.23-main	1.24.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.22-main	1.23.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.22-main	1.23.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.22-main	1.23.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.22-main	1.21.1-r0	None	possibly vulnerable
unbound	3.22-main	1.20.0-r0	None	possibly vulnerable
unbound	3.22-main	1.19.2-r0	None	possibly vulnerable
unbound	3.22-main	1.19.1-r0	None	possibly vulnerable
unbound	3.22-main	1.16.3-r0	None	possibly vulnerable
unbound	3.22-main	1.16.2-r0	None	possibly vulnerable
unbound	3.22-main	1.10.1-r0	None	possibly vulnerable
unbound	3.22-main	1.9.5-r0	None	possibly vulnerable
unbound	3.22-main	1.9.4-r0	None	possibly vulnerable
unbound	3.21-main	1.22.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.21-main	1.22.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.21-main	1.21.1-r0	None	possibly vulnerable
unbound	3.21-main	1.20.0-r0	None	possibly vulnerable
unbound	3.21-main	1.19.2-r0	None	possibly vulnerable
unbound	3.21-main	1.19.1-r0	None	possibly vulnerable
unbound	3.21-main	1.16.3-r0	None	possibly vulnerable
unbound	3.21-main	1.16.2-r0	None	possibly vulnerable
unbound	3.21-main	1.10.1-r0	None	possibly vulnerable
unbound	3.21-main	1.9.5-r0	None	possibly vulnerable
unbound	3.21-main	1.9.4-r0	None	possibly vulnerable
unbound	3.20-main	1.20.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.20-main	1.20.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.20-main	1.20.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.20-main	1.19.2-r0	None	possibly vulnerable
unbound	3.20-main	1.19.1-r0	None	possibly vulnerable
unbound	3.20-main	1.16.3-r0	None	possibly vulnerable
unbound	3.20-main	1.16.2-r0	None	possibly vulnerable
unbound	3.20-main	1.10.1-r0	None	possibly vulnerable
unbound	3.20-main	1.9.5-r0	None	possibly vulnerable
unbound	3.20-main	1.9.4-r0	None	possibly vulnerable
unbound	3.19-main	1.20.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.19-main	1.20.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.19-main	1.20.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.19-main	1.19.2-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.19-main	1.19.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
unbound	3.19-main	1.16.3-r0	None	possibly vulnerable
unbound	3.19-main	1.16.2-r0	None	possibly vulnerable
unbound	3.19-main	1.10.1-r0	None	possibly vulnerable
unbound	3.19-main	1.9.5-r0	None	possibly vulnerable
unbound	3.19-main	1.9.4-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages