CVE-2026-42944

Heap overflow with multiple NSID, COOKIE, PADDING EDNS options

Assigner: NLnet Labs
Reserved: 07.05.2026 Published: 20.05.2026 Updated: 20.05.2026

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red
CVSS Score: 8.7

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	NLnet Labs
Product	Unbound
Versions	Default: unaffected affected from 1.14.0 to 1.25.1 (excl.)

Vendor

NLnet Labs

Product

Unbound

Versions

Default: unaffected

affected from 1.14.0 to 1.25.1 (excl.)

Solutions

This issue is fixed starting with version 1.25.1

Credits

Qifan Zhang (Palo Alto Networks) finder

References

Problem Types

CWE-197: Numeric Truncation Error CWE
CWE-787: Out-of-bounds Write CWE