CVE-2026-32792
Analyzed Analyzed - Analysis Complete
Heap Overflow in Unbound DNS Server via DNSCrypt

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-32792
EUVD
EUVD-2026-31077
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs unbound From 1.6.2 (inc) to 1.25.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-166 The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32792 is a denial of service vulnerability in NLnet Labs Unbound versions 1.6.2 up to 1.25.0 when compiled with DNSCrypt support. It occurs because a specially crafted DNSCrypt query containing only '0x00' bytes and missing the expected '0x80' marker causes Unbound to read more bytes than necessary. This excessive reading can lead to a heap overflow and potentially crash the application.

Impact Analysis

This vulnerability can cause Unbound to crash due to a heap overflow triggered by a malicious DNSCrypt query. The impact is a denial of service, meaning that the DNS service provided by Unbound could become unavailable or unstable, potentially disrupting network operations that rely on it.

Detection Guidance

This vulnerability can be detected by monitoring for DNSCrypt queries that consist entirely of 0x00 bytes and lack the expected 0x80 marker. Such malformed queries may trigger the vulnerability in affected Unbound versions.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

To mitigate this vulnerability, upgrade Unbound to version 1.25.1 or later, which contains a patch that bounds reading within the buffer space to prevent the heap overflow.

Alternatively, manually apply the patch provided for versions up to 1.25.0 if upgrading is not immediately possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart