Cyber Posture

CVE-2026-41292

HighDDoS
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: affectedAppOther: not affectedOth

Published: 20 May 2026

Published
20 May 2026
Modified
20 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 15.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41292 is a high-severity Inefficient Algorithmic Complexity (CWE-407) vulnerability in Nlnetlabs Unbound. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-5 Denial-of-service Protection
addresses: CWE-770 CWE-407

Requires throttling and limits on resource allocation to prevent exhaustion.

AC-10 Concurrent Session Control
addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

CP-4 Contingency Plan Testing
addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

CP-5 Contingency Plan Update
addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

CP-7 Alternate Processing Site
addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

CP-8 Telecommunications Services
addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

PL-6 Security-related Activity Planning
addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

PM-6 Measures of Performance
addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

NVD Description

NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage…

more

while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-407CWE-770

Affected Products

nlnetlabs
unbound
≤ 1.25.1

EU & UK References

References