CVE-2026-41292

Description

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

How to fix CVE-2026-41292

To remediate CVE-2026-41292, upgrade the affected package to a fixed version below.

—upgrade to 1.25.1-r0 or later
—no fix listed

Is CVE-2026-41292 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.25.1-r0
from 0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2026-41292
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2026-41292