CVE-2026-42944
EUVD-2026-3108520.05.2026, 10:16
NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.EnginsightAffected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| nlnetlabs | unbound | 1.14.0 ≤ 𝑥 < 1.25.1 |
𝑥
= Vulnerable software versions
Debian Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libunbound8 |
| ||||||||||||||||
| unbound-anchor |
| ||||||||||||||||
| unbound-devel |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||||
|---|---|---|---|---|---|
| python3-unbound |
| ||||
| unbound |
| ||||
| unbound-devel |
| ||||
| unbound-dracut |
| ||||
| unbound-libs |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| python3-unbound |
| ||
| python3-unbound-debuginfo |
| ||
| unbound |
| ||
| unbound-anchor |
| ||
| unbound-anchor-debuginfo |
| ||
| unbound-debuginfo |
| ||
| unbound-debugsource |
| ||
| unbound-devel |
| ||
| unbound-libs |
| ||
| unbound-libs-debuginfo |
| ||
| unbound-utils |
| ||
| unbound-utils-debuginfo |
|
Common Weakness Enumeration
References