CVE-2026-41292 NLnet Labs CVE debrief

Who should care

Operators and administrators of Unbound recursive resolvers, DNS infrastructure owners, managed service providers, and incident responders responsible for internet-facing DNS availability.

Technical summary

The issue is a network-reachable availability problem in Unbound’s handling of long incoming EDNS option lists. According to the vendor and NVD record, an attacker can send queries containing too many EDNS options, causing resolver threads to spend time parsing the options and creating internal data structures. Coordinated requests can degrade service and, in some cases, result in denial of service. The vendor advisory indicates Unbound 1.25.1 addresses this by limiting acceptable incoming EDNS options to 100.

Defensive priority

Elevated: unauthenticated network traffic can impact the availability of DNS infrastructure, so exposed Unbound deployments should be reviewed and updated promptly.

Recommended defensive actions

• Upgrade Unbound to version 1.25.1 or later.
• Verify all deployed Unbound instances and appliances are not running 1.25.0 or earlier.
• Review DNS-facing monitoring for unusual bursts of queries with excessive EDNS option counts.
• Check vendor guidance in the Unbound advisory and apply any environment-specific mitigation steps it provides.
• Confirm rollback and service-restoration procedures in case resolver performance degrades during remediation.

Evidence notes

This debrief is based on the official NVD CVE record and the linked NLnet Labs advisory. The supplied NVD data marks the vulnerability as analyzed, identifies the affected CPE as nlnetlabs:unbound with versions before 1.25.1, and lists secondary weaknesses CWE-407 and CWE-770. The CVE publication and modification timestamps provided are 2026-05-20, and there is no KEV entry in the supplied data.

Official resources