Long list of incoming EDNS options degrades performance
Summary
| CVE | CVE-2026-41292 |
|---|---|
| State | PUBLISHED |
| Assigner | NLnet Labs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-20 10:16:27 UTC |
| Updated | 2026-06-30 03:19:25 UTC |
| Description | NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100). |
Risk And Classification
Primary CVSS: v4.0 6.6 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
EPSS: 0.005560000 probability, percentile 0.423280000 (date 2026-07-04)
Problem Types: CWE-407 | CWE-770 | CWE-1050 | CWE-407 CWE-407: Inefficient Algorithmic Complexity | CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling | CWE-1050 Excessive Platform Resource Consumption within a Loop
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.6 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/C... |
| 4.0 | CNA | CVSS | 6.6 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U... |
| 3.1 | [email protected] | Primary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | NLnet Labs | Unbound | affected 1.25.1 semver | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 16.2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 17.1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 18.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Data Grid 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt | [email protected] | www.nlnetlabs.nl | Mitigation, Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-41292.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-41292 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: GitHub user N0zoM1z0 (en)
CNA: Qifan Zhang (Palo Alto Networks) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-01-11T00:00:00.000Z | Issue reported by N0zoM1z0 |
| CNA | 2026-01-12T00:00:00.000Z | NLnet Labs shares patch |
| CNA | 2026-01-13T00:00:00.000Z | N0zoM1z0 verifies patch |
| CNA | 2026-04-26T00:00:00.000Z | Issue also reported by Qifan Zhang |
| CNA | 2026-04-28T00:00:00.000Z | NLnet Labs shares same patch |
| CNA | 2026-04-29T00:00:00.000Z | Qifan Zhang verifies patch |
| CNA | 2026-05-20T00:00:00.000Z | Fixes released with version 1.25.1 |
| ADP | 2026-05-20T10:00:54.433Z | Reported to Red Hat. |
| ADP | 2026-05-20T09:19:13.022Z | Made public. |
Solutions
CNA: This issue is fixed starting with version 1.25.1