{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-42944","assignerOrgId":"206fc3a0-e175-490b-9eaa-a5738056c9f6","state":"PUBLISHED","assignerShortName":"NLnet Labs","dateReserved":"2026-05-07T10:07:51.833Z","datePublished":"2026-05-20T09:20:23.906Z","dateUpdated":"2026-06-30T12:08:37.439Z"},"containers":{"cna":{"title":"Heap overflow with multiple NSID, COOKIE, PADDING EDNS options","datePublic":"2026-05-20T00:00:00.000Z","affected":[{"vendor":"NLnet Labs","product":"Unbound","versions":[{"version":"1.14.0","status":"affected","lessThan":"1.25.1","versionType":"semver"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation."}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"version":"4.0","baseScore":8.7,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/U:Red"}}],"problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-197","description":"CWE-197: Numeric Truncation Error","type":"CWE"},{"lang":"en","cweId":"CWE-787","description":"CWE-787: Out-of-bounds Write","type":"CWE"}]}],"solutions":[{"lang":"en","value":"This issue is fixed starting with version 1.25.1"}],"timeline":[{"time":"2026-04-26T00:00:00.000Z","lang":"en","value":"Issue reported by Qifan Zhang"},{"time":"2026-04-28T00:00:00.000Z","lang":"en","value":"NLnet Labs shares patch"},{"time":"2026-04-29T00:00:00.000Z","lang":"en","value":"Qifan Zhang verifies patch"},{"time":"2026-05-20T00:00:00.000Z","lang":"en","value":"Fixes released with version 1.25.1"}],"credits":[{"lang":"en","value":"Qifan Zhang (Palo Alto Networks)","type":"finder"}],"references":[{"url":"https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-42944.txt","tags":["vendor-advisory"]}],"providerMetadata":{"orgId":"206fc3a0-e175-490b-9eaa-a5738056c9f6","shortName":"NLnet Labs","dateUpdated":"2026-05-20T09:20:23.906Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-20T13:37:32.347565Z","id":"CVE-2026-42944","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-20T13:38:17.529Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift:4"],"defaultStatus":"affected","product":"Red Hat OpenShift Container Platform 4","vendor":"Red Hat"}],"datePublic":"2026-05-20T11:33:22.428Z","descriptions":[{"lang":"en","value":"A flaw was found in Unbound, a Domain Name System (DNS) resolver. A remote attacker could trigger a heap overflow by sending specially crafted DNS reply packets. This occurs when Unbound attempts to encode multiple Name Server Identifier (NSID) or Extension Mechanisms for DNS (EDNS) Cookie options, or EDNS Padding options, and these options are enabled. Successful exploitation of this vulnerability could lead to a denial of service (DoS), making the Unbound service unavailable."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-42944"},{"name":"RHBZ#2479774","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2479774"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42944.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:23231"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24365"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:24369"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:19752"}],"solutions":[{"lang":"en","value":"RHSA-2026:23231: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:24365: Red Hat Enterprise Linux AppStream (v. 8)"},{"lang":"en","value":"RHSA-2026:24369: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"},{"lang":"en","value":"RHSA-2026:19752: Red Hat Hardened Images"}],"timeline":[{"lang":"en","time":"2026-05-19T09:59:55.126Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-20T11:33:22.428Z","value":"Made public."}],"title":"unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:37.439Z"}}]}}