{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3anlnetlabsunbound/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-44390"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dos","cve","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-44390 describes a denial-of-service vulnerability affecting Microsoft products. The vulnerability stems from unbounded name compression, which can lead to excessive resource consumption when processing crafted network packets. Successful exploitation could result in a degradation of service, impacting the availability of affected systems. Defenders should apply relevant patches as soon as possible to mitigate this risk. This vulnerability has the potential to disrupt critical services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, a detailed attack chain cannot be fully constructed. However, a general outline based on the nature of the vulnerability is provided below:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious network packet containing a DNS record with unbounded name compression.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted packet to a vulnerable Microsoft service that handles DNS requests.\u003c/li\u003e\n\u003cli\u003eThe vulnerable service attempts to process the malicious DNS record.\u003c/li\u003e\n\u003cli\u003eThe unbounded name compression causes the service to enter a loop or consume excessive memory.\u003c/li\u003e\n\u003cli\u003eResource exhaustion leads to performance degradation.\u003c/li\u003e\n\u003cli\u003eThe service becomes unresponsive or crashes, resulting in a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eLegitimate users are unable to access the service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44390 leads to a denial-of-service condition, impacting the availability of critical Microsoft services. The extent of the impact depends on the specific service affected and the scale of the attack. Affected organizations may experience disruptions in network services, application downtime, and reduced productivity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInvestigate network traffic for anomalous DNS packets exhibiting characteristics of unbounded name compression (refer to CVE-2026-44390).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor system resource usage (CPU, memory) for services processing network packets.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T07:14:22Z","date_published":"2026-05-21T07:14:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-unbounded-name-compression-dos/","summary":"CVE-2026-44390 is a denial-of-service vulnerability in Microsoft products due to unbounded name compression.","title":"CVE-2026-44390 Unbounded Name Compression Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-unbounded-name-compression-dos/"},{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*"],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-42944"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve","heap-overflow","dns","edns","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 21, 2026, Microsoft published information regarding CVE-2026-42944, a heap overflow vulnerability. This vulnerability stems from the processing of multiple NSID, COOKIE, and PADDING Extended DNS (EDNS) options. The specifics of the affected product and the precise attack vector remain undisclosed in the initial advisory. The vulnerability\u0026rsquo;s impact could lead to denial of service or potentially remote code execution. Further details will likely be released as they become available, but defenders should prepare for the potential of exploit development and in-the-wild attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the limited information, the following attack chain is a hypothetical reconstruction based on typical heap overflow exploitation scenarios:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious DNS packet containing multiple NSID, COOKIE, and PADDING EDNS options.\u003c/li\u003e\n\u003cli\u003eThe malicious DNS packet is sent to a vulnerable DNS server or client.\u003c/li\u003e\n\u003cli\u003eThe vulnerable software attempts to parse and process the EDNS options within the DNS packet.\u003c/li\u003e\n\u003cli\u003eDue to improper validation of the number or size of these options, a heap buffer is allocated based on attacker-controlled values.\u003c/li\u003e\n\u003cli\u003eWhen writing the EDNS options into the heap buffer, the software overflows the buffer due to the excessive number and/or size of NSID, COOKIE, and PADDING options.\u003c/li\u003e\n\u003cli\u003eThe heap overflow corrupts adjacent memory structures, potentially overwriting function pointers or critical data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory corruption to achieve arbitrary code execution or cause a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eIf code execution is achieved, the attacker can install malware, exfiltrate data, or pivot to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-42944 could lead to a denial-of-service condition on affected DNS servers or clients, disrupting network services. In a more severe scenario, the vulnerability may allow for remote code execution, granting an attacker the ability to gain control of the compromised system. This could enable data theft, malware deployment, or further lateral movement within the network. The extent of the impact depends on the specific product affected and the privileges of the exploited process.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for suspicious DNS packets containing an unusually large number of NSID, COOKIE, and PADDING EDNS options using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious DNS Packets with Excessive EDNS Options\u003c/code\u003e to identify potential exploitation attempts in network traffic.\u003c/li\u003e\n\u003cli\u003eOnce the affected product is identified by Microsoft, apply the security patch as soon as it becomes available to remediate CVE-2026-42944.\u003c/li\u003e\n\u003cli\u003eEnable DNS query logging to facilitate investigation of suspicious DNS traffic.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process behavior following DNS queries, such as unexpected process creation or network connections, using endpoint detection and response (EDR) solutions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T07:14:09Z","date_published":"2026-05-21T07:14:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42944/","summary":"Microsoft disclosed CVE-2026-42944, a heap overflow vulnerability related to the processing of multiple NSID, COOKIE, and PADDING EDNS options in an unspecified product.","title":"CVE-2026-42944: Heap Overflow with Multiple NSID, COOKIE, and PADDING EDNS Options","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-42944/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}