CVE-2026-42944 Overview
CVE-2026-42944 is a heap overflow vulnerability in NLnet Labs Unbound, a widely deployed validating, recursive, and caching DNS resolver. The flaw affects versions 1.14.0 through 1.25.0 and stems from a numeric truncation error [CWE-197] in the size calculation for EDNS option encoding. An unauthenticated remote attacker who can query Unbound can trigger an out-of-bounds heap write by attaching multiple NSID, DNS Cookie, or EDNS Padding options to a single query. Exploitation requires that at least one of the nsid, answer-cookie, or pad-responses options is enabled in the Unbound configuration. The pad-responses option is enabled by default, expanding the exposed footprint.
Critical Impact
Remote attackers can write attacker-influenced data past a heap buffer, crashing the resolver and causing denial of service for all downstream DNS clients.
Affected Products
- NLnet Labs Unbound 1.14.0 through 1.25.0
- Deployments with pad-responses enabled (default configuration)
- Deployments with nsid or answer-cookie options enabled
Discovery Timeline
- 2026-05-20 - CVE CVE-2026-42944 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-42944
Vulnerability Analysis
The vulnerability resides in the Extension Mechanisms for DNS (EDNS) option encoding path of Unbound's reply construction logic. When a query carries multiple NSID, DNS Cookie, or EDNS Padding options, Unbound computes the buffer size required to encode the corresponding response options. A numeric truncation flaw causes the calculated size to be smaller than the data subsequently written, producing a heap buffer overflow.
The overflow writes Unbound-controlled bytes beyond the allocated buffer, corrupting adjacent heap structures. The immediate observable outcome is a process crash, terminating DNS resolution for every client served by the affected instance. Because Unbound is commonly deployed as critical infrastructure on enterprise resolvers, ISP caching layers, and DNS appliances, a crash translates directly into broad service disruption.
Root Cause
The defect has two components. First, Unbound did not de-duplicate repeated EDNS options supplied in a single query, allowing an adversary to inflate the option count arbitrarily. Second, the size calculation for the EDNS field truncates the correct value when the cumulative option length exceeds the integer width used in the computation. The truncated allocation, combined with un-deduplicated input, lets the encoder write past the end of the allocated heap region.
Attack Vector
Exploitation requires only the ability to send DNS queries to the target resolver. No authentication, user interaction, or local access is needed. The attacker constructs a DNS query containing multiple NSID, DNS Cookie EDNS, or EDNS Padding options. When Unbound builds the reply, the truncated size calculation triggers the heap overflow and the daemon crashes. The vulnerability primarily impacts availability; integrity and confidentiality impacts are not indicated by the vendor advisory.
No public proof-of-concept exploit is available at the time of disclosure. See the NLnet Labs CVE-2026-42944 advisory for vendor technical details.
Detection Methods for CVE-2026-42944
Indicators of Compromise
- Unexpected Unbound process crashes or repeated daemon restarts logged by systemd or service supervisors.
- DNS queries containing repeated EDNS options with OPTION-CODE values for NSID (3), COOKIE (10), or Padding (12).
- Sudden loss of recursive DNS resolution for clients served by an Unbound instance.
Detection Strategies
- Inspect DNS traffic for queries carrying more than one NSID, Cookie, or Padding EDNS option in a single OPT record, which is non-conformant for legitimate clients.
- Correlate Unbound segmentation faults or SIGABRT events with inbound query patterns from the same source address.
- Monitor for abnormal spikes in malformed or oversized OPT pseudo-records reaching the resolver.
Monitoring Recommendations
- Forward Unbound logs and host crash telemetry to a centralized analytics platform for correlation with network captures.
- Alert on repeated daemon restarts within short time windows, which suggests active exploitation attempts.
- Track upstream query loss and client-side DNS timeout rates as availability signals for the resolver fleet.
How to Mitigate CVE-2026-42944
Immediate Actions Required
- Upgrade NLnet Labs Unbound to version 1.25.1 or later, which includes both the de-duplication and size-calculation fixes.
- Inventory all Unbound instances across resolvers, appliances, and container images to confirm patched versions are deployed.
- Restrict query access to trusted client networks where feasible using access-control ACLs in unbound.conf.
Patch Information
NLnet Labs released Unbound 1.25.1 to address CVE-2026-42944. The patch de-duplicates EDNS options before encoding and corrects the truncated size calculation for the EDNS field. Full vendor details are available in the NLnet Labs CVE-2026-42944 advisory.
Workarounds
- If patching is not immediately possible, disable the vulnerable options by setting nsid: "", answer-cookie: no, and pad-responses: no in unbound.conf.
- Place query rate limiting and ACLs in front of Unbound to reduce exposure from untrusted networks.
- Restart the Unbound service after configuration changes to ensure new settings take effect.
# unbound.conf - disable vulnerable EDNS options as a temporary workaround
server:
nsid: ""
answer-cookie: no
pad-responses: no
access-control: 10.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
# Apply changes
unbound-checkconf /etc/unbound/unbound.conf
systemctl restart unbound
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
