Service Degradation Vulnerability in NLnet Labs Unbound Product
CVE-2026-41292

6.6MEDIUM

Key Information:

Vendor: Nlnet Labs
Status: Unbound
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-41292?

NLnet Labs Unbound, prior to version 1.25.1, is susceptible to a service degradation issue stemming from the handling of overly extensive EDNS options. When an attacker submits queries containing a multitude of EDNS options, it may cause the Unbound threads to become overwhelmed and unable to process incoming requests effectively. This scenario can lead to a significant slowdown in service or an outright denial of service if managed through coordinated attacks. A patch included in version 1.25.1 restricts the number of acceptable incoming EDNS options to 100, thereby mitigating this risk.

Affected Version(s)

Unbound 0 < 1.25.1

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-41292...

vendor-advisory

CVSS V4

Score:

6.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 7, 2026

Credit

GitHub user N0zoM1z0

Qifan Zhang (Palo Alto Networks)

CVE-2026-41292 Data

JSON

Nlnet Labs

What is CVE-2026-41292?

Affected Version(s)

References

CVSS V4

Timeline

Credit