CVE-2026-41292

NameCVE-2026-41292
DescriptionNLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6304-1
Debian Bugs1137187

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
unbound (PTS)bullseye1.13.1-1+deb11u2vulnerable
bullseye (security)1.13.1-1+deb11u7vulnerable
bookworm1.17.1-2+deb12u4vulnerable
bookworm (security)1.17.1-2+deb12u3vulnerable
trixie1.22.0-2+deb13u2vulnerable
trixie (security)1.22.0-2+deb13u3fixed
forky, sid1.25.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
unboundsourcetrixie1.22.0-2+deb13u3DSA-6304-1
unboundsource(unstable)1.25.1-11137187

Notes

https://www.openwall.com/lists/oss-security/2026/05/20/5
https://nlnetlabs.nl/downloads/unbound/CVE-2026-41292.txt
Search for package or bug name: Reporting problems