CVE-2026-41292 — Vulnetix

CVE-2026-41292 PUBLISHED CVSS 6.599999904632568 MEDIUM

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

EPSS 0.08% · 22.7th percentile

Risk Scores

CVSS v4.0

6.599999904632568

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Red

EPSS Score

0.08%

22.7th percentile

Affected Products

Vendor	Product	Versions
nlnetlabs	unbound	0
NLnet Labs	Unbound	0

Timeline

May 20, 2026 EPSS Score
May 20, 2026 CVE Published
May 20, 2026 PoC Published
May 20, 2026 PoC Published
May 20, 2026 CVE Updated
May 21, 2026 EPSS Score
May 21, 2026 Coalition ESS Score
May 21, 2026 Security Advisory
May 22, 2026 EPSS Score
May 23, 2026 EPSS Score
May 24, 2026 EPSS Score
May 25, 2026 EPSS Score

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-41292 advisory

Open in Interactive Console →