Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-41292
PUBLISHED
More InfoOfficial Page
Assigner-NLnet Labs
Assigner Org ID-206fc3a0-e175-490b-9eaa-a5738056c9f6
View Known Exploited Vulnerability (KEV) details
Published At-20 May, 2026 | 09:19
Updated At-20 May, 2026 | 12:11
Rejected At-
▼CVE Numbering Authority (CNA)
Long list of incoming EDNS options degrades performance

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

Affected Products
Vendor
NLnet Labs
Product
Unbound
Default Status
unaffected
Versions
Affected
  • From 0 before 1.25.1 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-407CWE-407: Inefficient Algorithmic Complexity
CWECWE-770CWE-770: Allocation of Resources Without Limits or Throttling
Type: CWE
CWE ID: CWE-407
Description: CWE-407: Inefficient Algorithmic Complexity
Type: CWE
CWE ID: CWE-770
Description: CWE-770: Allocation of Resources Without Limits or Throttling
Metrics
VersionBase scoreBase severityVector
4.06.6MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
Version: 4.0
Base score: 6.6
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Red
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

This issue is fixed starting with version 1.25.1

Configurations
Workarounds
Exploits
Credits
finder
GitHub user N0zoM1z0
finder
Qifan Zhang (Palo Alto Networks)
Timeline
EventDate
Issue reported by N0zoM1z02026-01-11 00:00:00
NLnet Labs shares patch2026-01-12 00:00:00
N0zoM1z0 verifies patch2026-01-13 00:00:00
Issue also reported by Qifan Zhang2026-04-26 00:00:00
NLnet Labs shares same patch2026-04-28 00:00:00
Qifan Zhang verifies patch2026-04-29 00:00:00
Fixes released with version 1.25.12026-05-20 00:00:00
Event: Issue reported by N0zoM1z0
Date: 2026-01-11 00:00:00
Event: NLnet Labs shares patch
Date: 2026-01-12 00:00:00
Event: N0zoM1z0 verifies patch
Date: 2026-01-13 00:00:00
Event: Issue also reported by Qifan Zhang
Date: 2026-04-26 00:00:00
Event: NLnet Labs shares same patch
Date: 2026-04-28 00:00:00
Event: Qifan Zhang verifies patch
Date: 2026-04-29 00:00:00
Event: Fixes released with version 1.25.1
Date: 2026-05-20 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt
vendor-advisory
Hyperlink: https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found