PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42944 NLnet Labs CVE debrief

CVE-2026-42944 is a network-exploitable heap overflow in NLnet Labs Unbound affecting versions 1.14.0 through 1.25.0. The issue can be triggered by a client that can query Unbound and supplies multiple NSID, DNS Cookie, and/or EDNS Padding options, but only when the relevant EDNS features are enabled. NLnet Labs states Unbound 1.25.1 contains the fix.

Vendor
NLnet Labs
Product
Unbound
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

Operators and defenders running Unbound recursive resolvers, especially internet-facing deployments and any environment using nsid, answer-cookie, or the default pad-responses setting. Teams responsible for DNS infrastructure stability and availability should prioritize this advisory.

Technical summary

NVD describes the flaw as a heap overflow caused by a bad size calculation for the EDNS field that truncates the correct value. When Unbound then encodes multiple NSID and/or DNS Cookie and/or EDNS Padding options into a reply, the encoder can write past the available heap space with controlled data, leading to a crash. NVD lists the vulnerable range as Unbound 1.14.0 through 1.25.0, and the vendor advisory states that 1.25.1 fixes the issue by de-duplicating EDNS options and preventing truncation in the EDNS size calculation. The published weaknesses are CWE-197 and CWE-787.

Defensive priority

High. The flaw is remotely reachable, requires no privileges or user interaction, and can affect resolver availability. Prioritize remediation for exposed resolvers and any systems using the affected EDNS options.

Recommended defensive actions

  • Upgrade NLnet Labs Unbound to 1.25.1 or later as soon as practical.
  • Audit whether nsid, answer-cookie, and pad-responses are enabled; disable any unneeded EDNS options until patched.
  • Prioritize remediation on internet-facing resolvers and any DNS infrastructure supporting untrusted clients.
  • Monitor resolver logs and service health for abnormal crashes or restarts while remediation is in progress.
  • Review the vendor advisory for mitigation guidance and confirm your deployed build includes the fix.

Evidence notes

The supplied NVD record marks Unbound 1.14.0 through 1.25.0 as vulnerable and references the vendor advisory at NLnet Labs. The vendor description states the bug causes a heap overflow during reply encoding when multiple EDNS options are present, and that Unbound 1.25.1 fixes the issue by deduplicating EDNS options and correcting the size calculation. The provided enrichment does not list this CVE in CISA KEV.

Official resources

Publicly disclosed on 2026-05-20 in the CVE/NVD record, with the vendor advisory referenced by NVD on the same date. The supplied enrichment does not indicate a CISA KEV entry.