CVE-2026-32792 | THREATINT

Description

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-20 | Updated 2026-05-20 | Assigner NLnet Labs

MEDIUM: 4.6CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

Compiled with DNSCrypt

Problem types

CWE-166: Improper Handling of Missing Special Element

CWE-125: Out-of-bounds Read

Product status

Default status

unaffected

1.6.2 (semver) before 1.25.1

affected

Timeline

2026-04-16:	Issue reported by Andrew Griffiths
2026-04-17:	NLnet Labs shares patch
2026-04-18:	Andrew Griffiths verifies patch
2026-05-20:	Fixes released with version 1.25.1

Credits

Andrew Griffiths (calif.io) finder

References

www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt vendor-advisory

cve.org (CVE-2026-32792)

nvd.nist.gov (CVE-2026-32792)

Download JSON