CVE-2026-42944
published 2026-05-20CVE-2026-42944: NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.84%
53.3th percentile
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | unbound | >= 1.14.0 < 1.25.1 | 1.25.1 |
| nlnetlabs | unbound | — | — |
| nlnetlabs | unbound | >= 1.14.0 < 1.25.1 | 1.25.1 |
| ubuntu | unbound | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red
vendor_redhat8.7HIGH
vendor_ubuntu4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NLnet Labs Unbound up to 1.25.0 numeric truncation error (Nessus ID 315760)
vuldb·2026-05-23·CVSS 8.7
CVE-2026-42944 [HIGH] NLnet Labs Unbound up to 1.25.0 numeric truncation error (Nessus ID 315760)
A vulnerability labeled as problematic has been found in NLnet Labs Unbound up to 1.25.0. This affects an unknown part. Such manipulation leads to numeric truncation error.
This vulnerability is referenced as CVE-2026-42944. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
GHSA-7mmq-q3m9-jrv7: NLnet Labs Unbound 1
ghsa_unreviewed·2026-05-20
CVE-2026-42944 [HIGH] CWE-197 GHSA-7mmq-q3m9-jrv7: NLnet Labs Unbound 1
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-dup
BSD
FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
bsd_advisories·2026-06-09·CVSS 5.3
CVE-2026-32792 [MEDIUM] FreeBSD-SA-26:33.unbound: Multiple vulnerabilities in unbound
FreeBSD-SA-26:33.unbound Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in unbound
Category: contrib
Module: unbound
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE)
2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2)
2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923,
CVE-2026-42944, CVE-2026-42959, CVE-2026-42960,
CVE-2026-44390, CVE-2026-44608
For general information regarding FreeBSD Security Advisories,
including descriptio
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 4.6
CVE-2026-42959 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
USN-8282-1 fixed vulnerabilities in Unbound. This update provides the
corresponding updates for CVE-2026-41292 in Ubuntu 18.04 LTS and Ubuntu
20.04 LTS and CVE-2026-42959, CVE-2026-42960 in Ubuntu 14.04 LTS, Ubuntu
16.04 LTS, Ubuntu 18.04 LTS, and Ubuntu 20.04 LTS.
Original advisory details:
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected U
Ubuntu
Unbound vulnerabilities
vendor_ubuntu·2026-05-20·CVSS 4.6
CVE-2026-33278 [MEDIUM] Unbound vulnerabilities
Title: Unbound vulnerabilities
Summary: Several security issues were fixed in Unbound.
Andrew Griffiths discovered that Unbound did not properly handle certain
DNSCrypt packets. A remote attacker could possibly use this issue to cause
Unbound to crash, resulting in a denial of service. (CVE-2026-32792)
Qifan Zhang discovered that Unbound incorrectly handled DNSSEC validation
in certain situations. A remote attacker could possibly use this issue to
execute arbitrary code. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-33278)
Qifan Zhang discovered that Unbound incorrectly handled certain ghost
domain name records. A remote attacker could possibly use this issue to
cause a denial of service. This issue only affected Ubuntu 24.04 LTS,
Ubuntu 25.10
Red Hat
unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
vendor_redhat·2026-05-20·CVSS 8.7
CVE-2026-42944 [HIGH] unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
A flaw was found in Unbound, a Domain Name System (DNS) resolver. A remote attacker could trigger a heap overflow by sending specially crafted DNS reply packets. This occurs when Unbound attempts to encode multiple Name Server Identifier (NSID) or Extension Mechanisms for DNS (EDNS) Cookie options, or EDNS Padding options, and these options are enabled. Successful exploitation of this vulnerability could lead to a denial of service (DoS), making the Unbound service unavailable.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base,
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options [fedora-all]
bugzilla·2026-05-26·CVSS 8.7
CVE-2026-42944 [HIGH] CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options [fedora-all]
CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
bugzilla·2026-05-19·CVSS 8.7
CVE-2026-42944 [HIGH] CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
A vulnerability was found in Unbound that results in heap overflow when
encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in
the reply packet.
The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need
to be enabled for the vulnerability to be exploited.
Unbound 1.25.1 includes a fix to de-duplicate the EDNS options and a fix to
prevent truncation of the EDNS field size calculation that also contributes to
the heap overflow.
https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txthttps://access.redhat.com/errata/RHSA-2026:19752https://access.redhat.com/errata/RHSA-2026:23231https://access.redhat.com/errata/RHSA-2026:24365https://access.redhat.com/errata/RHSA-2026:24369https://access.redhat.com/security/cve/CVE-2026-42944https://bugzilla.redhat.com/show_bug.cgi?id=2479774https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42944.json
2026-05-20
Published