VYPR
← All advisories
High severity7.5NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-41292

CVE-2026-41292

Description

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unbound up to 1.25.0 vulnerable to degradation of service via excessive EDNS options; fixed in 1.25.1.

Vulnerability

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options [1].

Exploitation

An attacker requires network access to send DNS queries to an Unbound server. By sending queries with an excessive number of EDNS options, the attacker can cause parsing threads to be occupied, leading to degradation or denial of service under coordinated attack [1].

Impact

Successful exploitation results in degradation of service for legitimate queries, potentially leading to full denial of service if multiple threads are tied up. No data confidentiality or integrity is compromised, but availability is affected [1].

Mitigation

The issue is fixed in Unbound version 1.25.1, which limits acceptable incoming EDNS options to 100. Users should upgrade to 1.25.1 or apply the provided patch for 1.25.0. The patch is available from the NLnet Labs advisory [1].

References
  1. https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Nlnetlabs/Unboundinferred2 versions
    <=1.25.0+ 1 more
    • (no CPE)range: <=1.25.0
    • (no CPE)range: <=1.25.0

Patches

1
ef5ca8436093

- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options

https://github.com/NLnetLabs/unboundW.C.A. WijngaardsMay 20, 2026Fixed in release-1.25.1via llm-release-walk
commit
2 files changed · +11 3
  • doc/Changelog+3 0 modified
    @@ -10,6 +10,9 @@
 	  Griffiths from 'calif.io' for the report.
 	- Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
 	  Zhang, Palo Alto Networks, for the report.
+	- Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
+	  degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
+	  Zhang from Palo Alto Networks, for the report.
 
 23 April 2026: Wouter
 	- Merge #1441: Fix buffer overrun in
  • util/data/msgparse.c+8 3 modified
    @@ -53,6 +53,8 @@
 #include "sldns/parseutil.h"
 #include "sldns/wire2str.h"
 
+#define MAX_PARSED_EDNS_OPTIONS 100
+
 /** smart comparison of (compressed, valid) dnames from packet */
 static int
 smart_compare(sldns_buffer* pkt, uint8_t* dnow, 
@@ -950,7 +952,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 	struct comm_reply* repinfo, uint32_t now, struct regional* region,
 	struct cookie_secrets* cookie_secrets)
 {
-	int nsid_seen = 0, cookie_seen = 0, padding_seen = 0;
+	int i = 0, nsid_seen = 0, cookie_seen = 0, padding_seen = 0;
 	/* To respond with a Keepalive option, the client connection must have
 	 * received one message with a TCP Keepalive EDNS option, and that
 	 * option must have 0 length data. Subsequent messages sent on that
@@ -970,7 +972,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 
 	/* while still more options, and have code+len to read */
 	/* ignores partial content (i.e. rdata len 3) */
-	while(rdata_len >= 4) {
+	while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
 		uint16_t opt_code = sldns_read_uint16(rdata_ptr);
 		uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
 		uint8_t server_cookie[40];
@@ -1150,6 +1152,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
 		}
 		rdata_ptr += opt_len;
 		rdata_len -= opt_len;
+		i++;
 	}
 	return LDNS_RCODE_NOERROR;
 }
@@ -1164,6 +1167,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
 	struct rrset_parse* found_prev = 0;
 	size_t rdata_len;
 	uint8_t* rdata_ptr;
+	int i = 0;
 	/* since the class encodes the UDP size, we cannot use hash table to
 	 * find the EDNS OPT record. Scan the packet. */
 	while(rrset) {
@@ -1223,7 +1227,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
 
 	/* while still more options, and have code+len to read */
 	/* ignores partial content (i.e. rdata len 3) */
-	while(rdata_len >= 4) {
+	while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
 		uint16_t opt_code = sldns_read_uint16(rdata_ptr);
 		uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
 		rdata_ptr += 4;
@@ -1238,6 +1242,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
 		}
 		rdata_ptr += opt_len;
 		rdata_len -= opt_len;
+		i++;
 	}
 	/* ignore rrsigs */
 	return LDNS_RCODE_NOERROR;

Vulnerability mechanics

Root cause

"Missing limit on the number of EDNS options parsed from incoming queries and responses allows an attacker to force Unbound threads to spend excessive CPU time processing a long list of options."

Attack vector

An attacker sends DNS queries (or responses) containing a crafted EDNS OPT pseudo-record with a large number of EDNS options (over 100). The vulnerable while loops in `parse_edns_options_from_query` and `parse_extract_edns_from_response_msg` iterate without any upper bound, causing Unbound worker threads to spend excessive CPU cycles parsing and allocating internal data structures for each option [CWE-407][CWE-770]. This is a network-triggered degradation-of-service attack; coordinated attackers can amplify the effect to cause full denial of service.

Affected code

The vulnerable code is in `util/data/msgparse.c` in two functions: `parse_edns_options_from_query` (line ~972) and `parse_extract_edns_from_response_msg` (line ~1227). Both contain unbounded while loops that iterate over EDNS options without a maximum iteration limit.

What the fix does

The patch introduces a `MAX_PARSED_EDNS_OPTIONS` constant set to 100 and adds a counter `i` to both parsing loops. The while-loop condition now includes `i < MAX_PARSED_EDNS_OPTIONS`, so parsing stops after 100 EDNS options regardless of how many remain in the packet [patch_id=792359]. This caps the worst-case CPU cost per query, preventing an attacker from holding threads hostage with an arbitrarily long list of options.

Preconditions

  • networkAttacker must be able to send DNS queries to the target Unbound resolver.
  • inputAttacker must craft a DNS query (or response) containing an EDNS OPT pseudo-record with more than 100 EDNS options.

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.