CVE Vulnerabilities

CVE-2026-42944

Numeric Truncation Error

Published: May 20, 2026 | Modified: Jun 30, 2026
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a vulnerability that results in heap overflow when encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in the reply packet. The relevant options (nsid, answer-cookie, pad-responses (default)) need to be enabled for the vulnerability to be exploited. An adversary who can query Unbound can exploit the vulnerability by attaching multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options to the query. A flaw in the size calculation of the EDNS field truncates the correct value which allows the encoder to overflow the available space when writing. Those two combined lead to a heap overflow write of Unbound controlled data and eventually a crash. Unbound 1.25.1 contains a patch with a fix to de-duplicate the EDNS options and a fix to prevent truncation of the EDNS field size calculation.

Weakness

Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.

Affected Software

NameVendorStart VersionEnd Version
UnboundNlnetlabs1.14.0 (including)1.25.1 (excluding)
Red Hat Enterprise Linux 10RedHatunbound-0:1.24.2-7.el10_2.1*
Red Hat Enterprise Linux 8RedHatunbound-0:1.16.2-5.11.el8_10*
Red Hat Enterprise Linux 9RedHatunbound-0:1.24.2-3.el9_8.1*
Red Hat Hardened ImagesRedHatunbound-main-1.25.1-0.1.hum1*
UnboundUbuntudevel*
UnboundUbuntuesm-infra/xenial*
UnboundUbuntunoble*
UnboundUbuntuquesting*
UnboundUbunturesolute*

Potential Mitigations

References