CVE-2026-41292

UNKNOWN 0.0

Long list of incoming EDNS options degrades performance

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

CWE	CWE-407 CWE-770
Vendor	nlnet labs
Product	unbound
Published	May 20, 2026
Last Updated	May 20, 2026

Stay Ahead of the Next One

Get instant alerts for nlnet labs unbound

Be the first to know when new unknown vulnerabilities affecting nlnet labs unbound are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

NLnet Labs / Unbound

0 < 1.25.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

nlnetlabs.nl: https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt

Credits

GitHub user N0zoM1z0 Qifan Zhang (Palo Alto Networks)