Bug 2479774 (CVE-2026-42944)

Summary: CVE-2026-42944 unbound: Heap overflow and crash with multiple nsid, cookie, padding EDNS options
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: rhel-process-autobot, security-response-team, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Unbound, a Domain Name System (DNS) resolver. A remote attacker could trigger a heap overflow by sending specially crafted DNS reply packets. This occurs when Unbound attempts to encode multiple Name Server Identifier (NSID) or Extension Mechanisms for DNS (EDNS) Cookie options, or EDNS Padding options, and these options are enabled. Successful exploitation of this vulnerability could lead to a denial of service (DoS), making the Unbound service unavailable.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2480119, 2481345    
Bug Blocks:    

Description OSIDB Bzimport 2026-05-19 10:09:36 UTC
A vulnerability was found in Unbound that results in heap overflow when
encoding multiple NSID and/or DNS Cookie EDNS and/or EDNS Padding options in
the reply packet.
The relevant options ('nsid', 'answer-cookie', 'pad-responses' (default)) need
to be enabled for the vulnerability to be exploited.

Unbound 1.25.1 includes a fix to de-duplicate the EDNS options and a fix to
prevent truncation of the EDNS field size calculation that also contributes to
the heap overflow.

Comment 2 errata-xmlrpc 2026-06-04 08:32:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:23231 https://access.redhat.com/errata/RHSA-2026:23231

Comment 3 errata-xmlrpc 2026-06-08 08:40:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:24365 https://access.redhat.com/errata/RHSA-2026:24365

Comment 4 errata-xmlrpc 2026-06-08 10:25:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:24369 https://access.redhat.com/errata/RHSA-2026:24369