NLnet Labs Unbound up to and including version 1.25.0 is vulnerable to a degradation of service attack related to parsing long lists of incoming EDNS options. An adversary sending queries with too many EDNS options can hold Unbound threads hostage while they are parsing and creating internal data structures for the options. Coordinated attacks can result in degradation and/or denial of service. Unbound 1.25.1 contains a patch with a fix to limit acceptable incoming EDNS options (100).
Casky was already ahead
This CVE exploits attack patterns that Casky's 312matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
NLnet Labs Unbound versions up to 1.25.0 suffer from a resource exhaustion vulnerability in their EDNS (Extension Mechanisms for DNS) option parsing logic. When an attacker sends DNS queries containing an excessive number of EDNS options, the parser consumes significant CPU and memory resources while constructing internal data structures, effectively holding threads hostage. This vulnerability impacts DNS infrastructure globally—recursive resolvers, authoritative nameservers, and any organization relying on Unbound for DNS services face potential service degradation or complete denial of service through coordinated attacks. The attack requires no authentication and can be launched remotely, making it a critical threat to DNS availability, a foundational service for internet connectivity and security operations.
Casky.ai maps this vulnerability to MITRE ATT&CK techniques TA0040 (Impact) and TA0011 (Command and Control), with 312 security skills capable of detecting the attack patterns. Practitioners using Casky would identify resource consumption anomalies—sustained high CPU usage, thread pool exhaustion, and query processing delays correlating with DNS requests containing abnormally large EDNS option counts. Claude's extended reasoning across these 312 skills enables detection of the attack chain: reconnaissance probing with varying EDNS option counts, followed by coordinated volumetric queries designed to overwhelm parser performance. Security teams would observe patterns consistent with Impact techniques (service degradation indicators) and C2 communication anomalies (legitimate DNS queries interrupted by malformed parsing). Implementing the patch limiting EDNS options to 100 and configuring query rate limiting based on Casky's findings directly mitigates this attack vector.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-41292.
Casky has 312 skills that investigate the attack patterns behind CVE-2026-41292. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →analyzing-campaign-attribution-evidence
threat intelligence · low
analyzing-certificate-transparency-for-phishing
threat intelligence · low
analyzing-cobalt-strike-beacon-configuration
malware analysis · medium
analyzing-cobaltstrike-malleable-c2-profiles
malware analysis · medium
analyzing-command-and-control-communication
malware analysis · medium
analyzing-cyber-kill-chain
threat intelligence · low
analyzing-dns-logs-for-exfiltration
soc operations · low
analyzing-golang-malware-with-ghidra
malware analysis · medium
analyzing-heap-spray-exploitation
malware analysis · medium
analyzing-indicators-of-compromise
threat intelligence · low
analyzing-linux-audit-logs-for-intrusion
incident response · low
analyzing-linux-elf-malware
malware analysis · medium
analyzing-macro-malware-in-office-documents
malware analysis · medium
analyzing-malicious-pdf-with-peepdf
malware analysis · medium
analyzing-malware-behavior-with-cuckoo-sandbox
malware analysis · medium
analyzing-malware-family-relationships-with-malpedia
threat intelligence · low
analyzing-malware-persistence-with-autoruns
malware analysis · medium
analyzing-malware-sandbox-evasion-techniques
malware analysis · medium
analyzing-memory-dumps-with-volatility
malware analysis · medium
analyzing-network-covert-channels-in-malware
malware analysis · medium
analyzing-network-flow-data-with-netflow
network security · medium
analyzing-network-packets-with-scapy
network security · medium
analyzing-network-traffic-for-incidents
incident response · low
analyzing-network-traffic-of-malware
malware analysis · medium
analyzing-network-traffic-with-wireshark
network security · medium
analyzing-packed-malware-with-upx-unpacker
malware analysis · medium
analyzing-pdf-malware-with-pdfid
malware analysis · medium
analyzing-persistence-mechanisms-in-linux
threat hunting · low
analyzing-powershell-empire-artifacts
threat hunting · low
analyzing-ransomware-encryption-mechanisms
malware analysis · medium
analyzing-ransomware-leak-site-intelligence
threat intelligence · low
analyzing-ransomware-network-indicators
threat hunting · low
analyzing-ransomware-payment-wallets
ransomware defense · medium
analyzing-security-logs-with-splunk
incident response · low
analyzing-supply-chain-malware-artifacts
malware analysis · medium
analyzing-threat-actor-ttps-with-mitre-attack
threat intelligence · low
analyzing-threat-actor-ttps-with-mitre-navigator
threat intelligence · low
analyzing-threat-intelligence-feeds
threat intelligence · low
analyzing-threat-landscape-with-misp
threat intelligence · low
analyzing-typosquatting-domains-with-dnstwist
threat intelligence · low
analyzing-windows-event-logs-in-splunk
soc operations · low
auditing-tls-certificate-transparency-logs
threat intelligence · low
automating-ioc-enrichment
threat intelligence · low
building-adversary-infrastructure-tracking-system
threat intelligence · low
building-attack-pattern-library-from-cti-reports
threat intelligence · low
building-automated-malware-submission-pipeline
soc operations · low
building-c2-infrastructure-with-sliver-framework
red teaming · high
building-detection-rule-with-splunk-spl
soc operations · low
building-detection-rules-with-sigma
soc operations · low
building-incident-response-dashboard
soc operations · low
building-incident-response-playbook
incident response · low
building-incident-timeline-with-timesketch
incident response · low
building-ioc-defanging-and-sharing-pipeline
threat intelligence · low
building-ioc-enrichment-pipeline-with-opencti
threat intelligence · low
building-malware-incident-communication-template
incident response · low
building-ransomware-playbook-with-cisa-framework
ransomware defense · medium
building-red-team-c2-infrastructure-with-havoc
red teaming · high
building-soc-escalation-matrix
soc operations · low
building-soc-metrics-and-kpi-tracking
soc operations · low
building-soc-playbook-for-ransomware
soc operations · low
building-threat-actor-profile-from-osint
threat intelligence · low
building-threat-feed-aggregation-with-misp
threat intelligence · low
building-threat-hunt-hypothesis-framework
threat hunting · low
building-threat-intelligence-enrichment-in-splunk
soc operations · low
building-threat-intelligence-feed-integration
soc operations · low
building-threat-intelligence-platform
threat intelligence · low
building-vulnerability-scanning-workflow
soc operations · low
collecting-indicators-of-compromise
incident response · low
collecting-open-source-intelligence
threat intelligence · low
collecting-threat-intelligence-with-misp
threat intelligence · low
collecting-volatile-evidence-from-compromised-host
incident response · low
conducting-cloud-incident-response
incident response · low
conducting-domain-persistence-with-dcsync
red teaming · high
conducting-full-scope-red-team-engagement
red teaming · high
conducting-internal-reconnaissance-with-bloodhound-ce
red teaming · high
conducting-malware-incident-response
incident response · low
conducting-man-in-the-middle-attack-simulation
network security · medium
conducting-memory-forensics-with-volatility
incident response · low
conducting-pass-the-ticket-attack
red teaming · high
conducting-phishing-incident-response
incident response · low
conducting-post-incident-lessons-learned
incident response · low
conducting-social-engineering-pretext-call
red teaming · high
conducting-spearphishing-simulation-campaign
red teaming · high
configuring-network-segmentation-with-vlans
network security · medium
configuring-pfsense-firewall-rules
network security · medium
configuring-snort-ids-for-intrusion-detection
network security · medium
configuring-suricata-for-network-monitoring
network security · medium
containing-active-breach
incident response · low
correlating-security-events-in-qradar
soc operations · low
correlating-threat-campaigns
threat intelligence · low
deobfuscating-javascript-malware
malware analysis · medium
deobfuscating-powershell-obfuscated-malware
malware analysis · medium
deploying-decoy-files-for-ransomware-detection
ransomware defense · medium
deploying-ransomware-canary-files
ransomware defense · medium
detecting-anomalies-in-industrial-control-systems
ot ics security · medium
detecting-arp-poisoning-in-network-traffic
network security · medium
detecting-attacks-on-historian-servers
ot ics security · medium
detecting-attacks-on-scada-systems
ot ics security · medium
detecting-command-and-control-over-dns
network security · medium
detecting-dcsync-attack-in-active-directory
threat hunting · low
detecting-dll-sideloading-attacks
threat hunting · low
detecting-dnp3-protocol-anomalies
ot ics security · medium
detecting-dns-exfiltration-with-dns-query-analysis
network security · medium
detecting-email-account-compromise
incident response · low
detecting-email-forwarding-rules-attack
threat hunting · low
detecting-exfiltration-over-dns-with-zeek
network security · medium
detecting-fileless-malware-techniques
malware analysis · medium
detecting-golden-ticket-attacks-in-kerberos-logs
threat hunting · low
detecting-insider-threat-behaviors
threat hunting · low
detecting-kerberoasting-attacks
threat hunting · low
detecting-lateral-movement-in-network
network security · medium
detecting-lateral-movement-with-splunk
threat hunting · low
detecting-lateral-movement-with-zeek
network security · medium
detecting-malicious-scheduled-tasks-with-sysmon
threat hunting · low
detecting-mimikatz-execution-patterns
threat hunting · low
detecting-modbus-command-injection-attacks
ot ics security · medium
detecting-modbus-protocol-anomalies
ot ics security · medium
detecting-network-anomalies-with-zeek
network security · medium
detecting-network-scanning-with-ids-signatures
network security · medium
detecting-ntlm-relay-with-event-correlation
threat hunting · low
detecting-pass-the-hash-attacks
threat hunting · low
detecting-port-scanning-with-fail2ban
network security · medium
detecting-privilege-escalation-attempts
threat hunting · low
detecting-process-hollowing-technique
threat hunting · low
detecting-process-injection-techniques
malware analysis · medium
detecting-ransomware-encryption-behavior
ransomware defense · medium
detecting-ransomware-precursors-in-network
ransomware defense · medium
detecting-rootkit-activity
malware analysis · medium
detecting-service-account-abuse
threat hunting · low
detecting-stuxnet-style-attacks
ot ics security · medium
detecting-suspicious-powershell-execution
threat hunting · low
detecting-t1003-credential-dumping-with-edr
threat hunting · low
detecting-t1055-process-injection-with-sysmon
threat hunting · low
detecting-t1548-abuse-elevation-control-mechanism
threat hunting · low
detecting-wmi-persistence
threat hunting · low
eradicating-malware-from-infected-systems
incident response · low
evaluating-threat-intelligence-platforms
threat intelligence · low
executing-red-team-engagement-planning
red teaming · high
exploiting-active-directory-certificate-services-esc1
red teaming · high
exploiting-active-directory-with-bloodhound
red teaming · high
exploiting-bgp-hijacking-vulnerabilities
network security · medium
exploiting-constrained-delegation-abuse
red teaming · high
exploiting-ipv6-vulnerabilities
network security · medium
exploiting-kerberoasting-with-impacket
red teaming · high
exploiting-ms17-010-eternalblue-vulnerability
red teaming · high
exploiting-nopac-cve-2021-42278-42287
red teaming · high
exploiting-smb-vulnerabilities-with-metasploit
network security · medium
exploiting-zerologon-vulnerability-cve-2020-1472
red teaming · high
extracting-config-from-agent-tesla-rat
malware analysis · medium
extracting-iocs-from-malware-samples
malware analysis · medium
generating-threat-intelligence-reports
threat intelligence · low
hunting-advanced-persistent-threats
threat intelligence · low
hunting-for-anomalous-powershell-execution
threat hunting · low
hunting-for-beaconing-with-frequency-analysis
threat hunting · low
hunting-for-cobalt-strike-beacons
threat hunting · low
hunting-for-command-and-control-beaconing
threat hunting · low
hunting-for-data-exfiltration-indicators
threat hunting · low
hunting-for-data-staging-before-exfiltration
threat hunting · low
hunting-for-dcom-lateral-movement
threat hunting · low
hunting-for-dcsync-attacks
threat hunting · low
hunting-for-defense-evasion-via-timestomping
threat hunting · low
hunting-for-dns-based-persistence
threat hunting · low
hunting-for-dns-tunneling-with-zeek
threat hunting · low
hunting-for-domain-fronting-c2-traffic
threat hunting · low
hunting-for-lateral-movement-via-wmi
threat hunting · low
hunting-for-living-off-the-cloud-techniques
threat hunting · low
hunting-for-living-off-the-land-binaries
threat hunting · low
hunting-for-lolbins-execution-in-endpoint-logs
threat hunting · low
hunting-for-ntlm-relay-attacks
threat hunting · low
hunting-for-persistence-mechanisms-in-windows
threat hunting · low
hunting-for-persistence-via-wmi-subscriptions
threat hunting · low
hunting-for-process-injection-techniques
threat hunting · low
hunting-for-registry-persistence-mechanisms
threat hunting · low
hunting-for-registry-run-key-persistence
threat hunting · low
hunting-for-scheduled-task-persistence
threat hunting · low
hunting-for-shadow-copy-deletion
threat hunting · low
hunting-for-spearphishing-indicators
threat hunting · low
hunting-for-startup-folder-persistence
threat hunting · low
hunting-for-supply-chain-compromise
threat hunting · low
hunting-for-suspicious-scheduled-tasks
threat hunting · low
hunting-for-t1098-account-manipulation
threat hunting · low
hunting-for-unusual-network-connections
threat hunting · low
hunting-for-unusual-service-installations
threat hunting · low
hunting-for-webshell-activity
threat hunting · low
implementing-alert-fatigue-reduction
soc operations · low
implementing-anti-ransomware-group-policy
ransomware defense · medium
implementing-bgp-security-with-rpki
network security · medium
implementing-browser-isolation-for-zero-trust
network security · medium
implementing-conduit-security-for-ot-remote-access
ot ics security · medium
implementing-ddos-mitigation-with-cloudflare
network security · medium
implementing-diamond-model-analysis
threat intelligence · low
implementing-dragos-platform-for-ot-monitoring
ot ics security · medium
implementing-honeypot-for-ransomware-detection
ransomware defense · medium
implementing-ics-firewall-with-tofino
ot ics security · medium
implementing-iec-62443-security-zones
ot ics security · medium
implementing-immutable-backup-with-restic
ransomware defense · medium
implementing-mitre-attack-coverage-mapping
soc operations · low
implementing-nerc-cip-compliance-controls
ot ics security · medium
implementing-network-access-control
network security · medium
implementing-network-access-control-with-cisco-ise
network security · medium
implementing-network-intrusion-prevention-with-suricata
network security · medium
implementing-network-segmentation-for-ot
ot ics security · medium
implementing-network-segmentation-with-firewall-zones
network security · medium
implementing-network-traffic-analysis-with-arkime
network security · medium
implementing-network-traffic-baselining
network security · medium
implementing-next-generation-firewall-with-palo-alto
network security · medium
implementing-ot-incident-response-playbook
ot ics security · medium
implementing-ot-network-traffic-analysis-with-nozomi
ot ics security · medium
implementing-patch-management-for-ot-systems
ot ics security · medium
implementing-purdue-model-network-segmentation
ot ics security · medium
implementing-ransomware-backup-strategy
ransomware defense · medium
implementing-ransomware-kill-switch-detection
ransomware defense · medium
implementing-security-information-sharing-with-stix2
threat intelligence · low
implementing-siem-use-cases-for-detection
soc operations · low
implementing-soar-automation-with-phantom
soc operations · low
implementing-soar-playbook-with-palo-alto-xsoar
soc operations · low
implementing-stix-taxii-feed-integration
threat intelligence · low
implementing-taxii-server-with-opentaxii
threat intelligence · low
implementing-threat-intelligence-lifecycle-management
threat intelligence · low
implementing-threat-modeling-with-mitre-attack
soc operations · low
implementing-ticketing-system-for-incidents
soc operations · low
implementing-velociraptor-for-ir-collection
incident response · low
investigating-insider-threat-indicators
soc operations · low
investigating-phishing-email-incident
soc operations · low
managing-intelligence-lifecycle
threat intelligence · low
mapping-mitre-attack-techniques
threat intelligence · low
monitoring-darkweb-sources
threat intelligence · low
performing-active-directory-bloodhound-analysis
red teaming · high
performing-active-directory-compromise-investigation
incident response · low
performing-ai-driven-osint-correlation
threat intelligence · low
performing-alert-triage-with-elastic-siem
soc operations · low
performing-arp-spoofing-attack-simulation
network security · medium
performing-automated-malware-analysis-with-cape
malware analysis · medium
performing-bandwidth-throttling-attack-simulation
network security · medium
performing-brand-monitoring-for-impersonation
threat intelligence · low
performing-cloud-incident-containment-procedures
incident response · low
performing-credential-access-with-lazagne
red teaming · high
performing-dark-web-monitoring-for-threats
threat intelligence · low
performing-deception-technology-deployment
soc operations · low
performing-disk-forensics-investigation
incident response · low
performing-dns-enumeration-and-zone-transfer
network security · medium
performing-dynamic-analysis-with-any-run
malware analysis · medium
performing-false-positive-reduction-in-siem
soc operations · low
performing-firmware-malware-analysis
malware analysis · medium
performing-ics-asset-discovery-with-claroty
ot ics security · medium
performing-indicator-lifecycle-management
threat intelligence · low
performing-initial-access-with-evilginx3
red teaming · high
performing-insider-threat-investigation
incident response · low
performing-ioc-enrichment-automation
soc operations · low
performing-ip-reputation-analysis-with-shodan
threat intelligence · low
performing-kerberoasting-attack
red teaming · high
performing-lateral-movement-detection
soc operations · low
performing-lateral-movement-with-wmiexec
red teaming · high
performing-log-source-onboarding-in-siem
soc operations · low
performing-malware-hash-enrichment-with-virustotal
threat intelligence · low
performing-malware-ioc-extraction
threat intelligence · low
performing-malware-triage-with-yara
malware analysis · medium
performing-memory-forensics-with-volatility3-plugins
malware analysis · medium
performing-network-traffic-analysis-with-tshark
network security · medium
performing-network-traffic-analysis-with-zeek
network security · medium
performing-oil-gas-cybersecurity-assessment
ot ics security · medium
performing-open-source-intelligence-gathering
red teaming · high
performing-osint-with-spiderfoot
threat intelligence · low
performing-ot-network-security-assessment
ot ics security · medium
performing-ot-vulnerability-assessment-with-claroty
ot ics security · medium
performing-ot-vulnerability-scanning-safely
ot ics security · medium
performing-packet-injection-attack
network security · medium
performing-paste-site-monitoring-for-credentials
threat intelligence · low
performing-physical-intrusion-assessment
red teaming · high
performing-plc-firmware-security-analysis
ot ics security · medium
performing-power-grid-cybersecurity-assessment
ot ics security · medium
performing-privilege-escalation-on-linux
red teaming · high
performing-purple-team-exercise
soc operations · low
performing-ransomware-response
incident response · low
performing-ransomware-tabletop-exercise
ransomware defense · medium
performing-s7comm-protocol-security-analysis
ot ics security · medium
performing-scada-hmi-security-assessment
ot ics security · medium
performing-soc-tabletop-exercise
soc operations · low
performing-ssl-stripping-attack
network security · medium
performing-ssl-tls-inspection-configuration
network security · medium
performing-ssl-tls-security-assessment
network security · medium
performing-static-malware-analysis-with-pe-studio
malware analysis · medium
performing-threat-emulation-with-atomic-red-team
threat intelligence · low
performing-threat-hunting-with-elastic-siem
soc operations · low
performing-threat-hunting-with-yara-rules
threat hunting · low
performing-threat-intelligence-sharing-with-misp
threat intelligence · low
performing-threat-landscape-assessment-for-sector
threat intelligence · low
performing-user-behavior-analytics
soc operations · low
performing-vlan-hopping-attack
network security · medium
performing-wifi-password-cracking-with-aircrack
network security · medium
performing-wireless-security-assessment-with-kismet
network security · medium
performing-yara-rule-development-for-detection
malware analysis · medium
processing-stix-taxii-feeds
threat intelligence · low
profiling-threat-actor-groups
threat intelligence · low
recovering-from-ransomware-attack
ransomware defense · medium
reverse-engineering-android-malware-with-jadx
malware analysis · medium
reverse-engineering-dotnet-malware-with-dnspy
malware analysis · medium
reverse-engineering-malware-with-ghidra
malware analysis · medium
reverse-engineering-ransomware-encryption-routine
malware analysis · medium
reverse-engineering-rust-malware
malware analysis · medium
scanning-network-with-nmap-advanced
network security · medium
securing-historian-server-in-ot-environment
ot ics security · medium
securing-remote-access-to-ot-environment
ot ics security · medium
testing-ransomware-recovery-procedures
incident response · low
tracking-threat-actor-infrastructure
threat intelligence · low
triaging-security-alerts-in-splunk
soc operations · low
triaging-security-incident
incident response · low
triaging-security-incident-with-ir-playbook
incident response · low
validating-backup-integrity-for-recovery
incident response · low
© 2026 Casky.AI, Inc. · AI Security Investigation