The CVE number for this vulnerability is CVE-2026-41292.


== Summary
A degradation of service attack has been discovered in Unbound related to
parsing long lists of incoming EDNS options.

Unbound 1.25.1 includes a fix to limit acceptable incoming EDNS options (100).


== Affected products
Unbound up to and including version 1.25.0.


== Description
An adversary sending queries with too many EDNS options can hold Unbound
threads hostage while they are parsing and creating internal data structures
for the options.
Coordinated attacks can result in degradation and/or denial of service.

Unbound 1.25.1 includes a fix to limit acceptable incoming EDNS options (100).


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-41292.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-41292.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank GitHub user 'N0zoM1z0', also Qifan Zhang from Palo Alto
Networks for discovering and responsibly disclosing the vulnerability.