CVE-2026-32792
Undergoing Analysis Undergoing Analysis - In Progress
Heap Overflow in Unbound DNS Server via DNSCrypt

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: NLnet Labs

Description
NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-20
Generated
2026-05-20
AI Q&A
2026-05-20
EPSS Evaluated
N/A
NVD
CVE-2026-32792
EUVD
EUVD-2026-31077
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nlnet_labs unbound From 1.6.2 (inc) to 1.25.0 (inc)
nlnet_labs unbound 1.25.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-166 The product receives input from an upstream component, but it does not handle or incorrectly handles when an expected special element is missing.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32792 is a denial of service vulnerability in NLnet Labs Unbound versions 1.6.2 up to 1.25.0 when compiled with DNSCrypt support. It occurs because a specially crafted DNSCrypt query containing only '0x00' bytes and missing the expected '0x80' marker causes Unbound to read more bytes than necessary. This excessive reading can lead to a heap overflow and potentially crash the application.


How can this vulnerability impact me? :

This vulnerability can cause Unbound to crash due to a heap overflow triggered by a malicious DNSCrypt query. The impact is a denial of service, meaning that the DNS service provided by Unbound could become unavailable or unstable, potentially disrupting network operations that rely on it.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for DNSCrypt queries that consist entirely of 0x00 bytes and lack the expected 0x80 marker. Such malformed queries may trigger the vulnerability in affected Unbound versions.

Specific commands to detect this vulnerability are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Unbound to version 1.25.1 or later, which contains a patch that bounds reading within the buffer space to prevent the heap overflow.

Alternatively, manually apply the patch provided for versions up to 1.25.0 if upgrading is not immediately possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart