CVE-2026-42944: CWE-197: Numeric Truncation Error in NLnet Labs Unbound
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
AI Analysis
Technical Summary
The vulnerability in NLnet Labs Unbound (CVE-2026-42944) arises from a numeric truncation error (CWE-197) in the encoding of multiple EDNS options (NSID, DNS Cookie, EDNS Padding) in DNS reply packets. When these options are enabled and multiple instances are attached to a query, the flawed size calculation truncates the actual size, causing the encoder to overflow the allocated heap buffer. This heap overflow can lead to a crash of the Unbound DNS resolver. The issue affects versions 1.14.0 up to and including 1.25.0. Unbound 1.25.1 contains a patch that addresses the vulnerability by removing duplicate EDNS options and fixing the size calculation to prevent truncation.
Potential Impact
An unauthenticated remote attacker able to send DNS queries to a vulnerable Unbound server with the relevant EDNS options enabled can cause a heap overflow, resulting in a denial of service (crash) of the DNS resolver. The CVSS 4.0 score is 8.7 (high severity), indicating significant impact due to remote, unauthenticated exploitation without user interaction. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Unbound to version 1.25.1 or later, which contains an official fix that de-duplicates EDNS options and corrects the size calculation to prevent the heap overflow. Until the upgrade is applied, consider disabling the relevant EDNS options ('nsid', 'answer-cookie', 'pad-responses') if feasible to reduce exposure. Patch status is not explicitly stated in vendor advisory content but the description confirms the fix in 1.25.1. Check the official NLnet Labs advisory for the latest remediation guidance.
CVE-2026-42944: CWE-197: Numeric Truncation Error in NLnet Labs Unbound
Description
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in NLnet Labs Unbound (CVE-2026-42944) arises from a numeric truncation error (CWE-197) in the encoding of multiple EDNS options (NSID, DNS Cookie, EDNS Padding) in DNS reply packets. When these options are enabled and multiple instances are attached to a query, the flawed size calculation truncates the actual size, causing the encoder to overflow the allocated heap buffer. This heap overflow can lead to a crash of the Unbound DNS resolver. The issue affects versions 1.14.0 up to and including 1.25.0. Unbound 1.25.1 contains a patch that addresses the vulnerability by removing duplicate EDNS options and fixing the size calculation to prevent truncation.
Potential Impact
An unauthenticated remote attacker able to send DNS queries to a vulnerable Unbound server with the relevant EDNS options enabled can cause a heap overflow, resulting in a denial of service (crash) of the DNS resolver. The CVSS 4.0 score is 8.7 (high severity), indicating significant impact due to remote, unauthenticated exploitation without user interaction. There is no indication of known exploits in the wild at this time.
Mitigation Recommendations
Upgrade Unbound to version 1.25.1 or later, which contains an official fix that de-duplicates EDNS options and corrects the size calculation to prevent the heap overflow. Until the upgrade is applied, consider disabling the relevant EDNS options ('nsid', 'answer-cookie', 'pad-responses') if feasible to reduce exposure. Patch status is not explicitly stated in vendor advisory content but the description confirms the fix in 1.25.1. Check the official NLnet Labs advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- NLnet Labs
- Date Reserved
- 2026-05-07T10:07:51.833Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0d86fdba1db4736270ee69
Added to database: 5/20/2026, 10:03:41 AM
Last enriched: 5/20/2026, 10:18:54 AM
Last updated: 5/21/2026, 4:29:35 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.