CVE-2026-42944: Heap Overflow with Multiple NSID, COOKIE, and PADDING EDNS Options

On May 21, 2026, Microsoft published information regarding CVE-2026-42944, a heap overflow vulnerability. This vulnerability stems from the processing of multiple NSID, COOKIE, and PADDING Extended DNS (EDNS) options. The specifics of the affected product and the precise attack vector remain undisclosed in the initial advisory. The vulnerability’s impact could lead to denial of service or potentially remote code execution. Further details will likely be released as they become available, but defenders should prepare for the potential of exploit development and in-the-wild attacks.

Attack Chain

Given the limited information, the following attack chain is a hypothetical reconstruction based on typical heap overflow exploitation scenarios:

1. An attacker crafts a malicious DNS packet containing multiple NSID, COOKIE, and PADDING EDNS options.
2. The malicious DNS packet is sent to a vulnerable DNS server or client.
3. The vulnerable software attempts to parse and process the EDNS options within the DNS packet.
4. Due to improper validation of the number or size of these options, a heap buffer is allocated based on attacker-controlled values.
5. When writing the EDNS options into the heap buffer, the software overflows the buffer due to the excessive number and/or size of NSID, COOKIE, and PADDING options.
6. The heap overflow corrupts adjacent memory structures, potentially overwriting function pointers or critical data.
7. The attacker leverages the memory corruption to achieve arbitrary code execution or cause a denial-of-service condition.
8. If code execution is achieved, the attacker can install malware, exfiltrate data, or pivot to other systems.

Impact

Successful exploitation of CVE-2026-42944 could lead to a denial-of-service condition on affected DNS servers or clients, disrupting network services. In a more severe scenario, the vulnerability may allow for remote code execution, granting an attacker the ability to gain control of the compromised system. This could enable data theft, malware deployment, or further lateral movement within the network. The extent of the impact depends on the specific product affected and the privileges of the exploited process.

Recommendation

• Monitor network traffic for suspicious DNS packets containing an unusually large number of NSID, COOKIE, and PADDING EDNS options using a network intrusion detection system (NIDS).
• Deploy the Sigma rule Detect Suspicious DNS Packets with Excessive EDNS Options to identify potential exploitation attempts in network traffic.
• Once the affected product is identified by Microsoft, apply the security patch as soon as it becomes available to remediate CVE-2026-42944.
• Enable DNS query logging to facilitate investigation of suspicious DNS traffic.
• Monitor for unusual process behavior following DNS queries, such as unexpected process creation or network connections, using endpoint detection and response (EDR) solutions.