CVE-2026-32792
Description
NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unbound 1.6.2–1.25.0 with DNSCrypt enabled has a heap overflow DoS via a crafted all-zero plaintext DNSCrypt query.
Vulnerability
NLnet Labs Unbound versions 1.6.2 up to and including 1.25.0, when compiled with DNSCrypt support (--enable-dnscrypt), contain a denial of service vulnerability in the DNSCrypt packet reading procedure. A specially crafted DNSCrypt query whose decrypted plaintext consists entirely of 0x00 bytes and lacks the expected 0x80 marker causes the code to read beyond the intended buffer boundaries while searching for a non-0x00 byte, potentially resulting in a heap overflow [1].
Exploitation
An attacker needs only to send a single DNSCrypt query whose decrypted payload is entirely 0x00 bytes. No authentication or prior access is required; the query arrives over the network. The vulnerable path does not check for the expected 0x80 marker before reading, so Unbound continues scanning past the allocated buffer until it encounters a non-0x00 byte [1]. Whether the excess reads trigger a heap overflow depends on the underlying memory allocator and memory layout; if no overflow occurs, Unbound's later packet validation rejects the query.
Impact
If a heap overflow does occur, the process may crash, resulting in a denial of service. The likelihood is described as low because the outcome depends heavily on the heap allocator and memory layout. The attacker does not gain code execution or data access — the impact is limited to service interruption [1].
Mitigation
Unbound 1.25.1, released on 2026-05-20, contains a fix that bounds reading to the given buffer space [1]. Users should upgrade to 1.25.1 or, for those on 1.25.0, apply the available patch (patch_CVE-2026-32792.diff) against the source and rebuild [1]. No workaround exists for older, unsupported versions; running without DNSCrypt (--enable-dnscrypt) eliminates the attack surface.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1a587535c5dd8- Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
2 files changed · +3 −1
dnscrypt/dnscrypt.c+1 −1 modified@@ -361,7 +361,7 @@ dnscrypt_server_uncurve(struct dnsc_env* env, len -= DNSCRYPT_QUERY_HEADER_SIZE; - while (*sldns_buffer_at(buffer, --len) == 0) + while (len>0 && *sldns_buffer_at(buffer, --len) == 0) ; if (*sldns_buffer_at(buffer, len) != 0x80) {
doc/Changelog+2 −0 modified@@ -6,6 +6,8 @@ Networks, for the report. - Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew + Griffiths from 'calif.io' for the report. 23 April 2026: Wouter - Merge #1441: Fix buffer overrun in
Vulnerability mechanics
Root cause
"Missing bounds check in a while-loop that decrements a buffer length counter allows reading past the beginning of the buffer when the decrypted DNSCrypt query consists entirely of 0x00 bytes."
Attack vector
An attacker sends a single DNSCrypt query whose decrypted plaintext consists entirely of 0x00 bytes, lacking the expected 0x80 marker byte. The vulnerable loop in `dnscrypt_server_uncurve()` [patch_id=793705] decrements `len` and reads backwards through the buffer without checking whether `len` has dropped below zero. This underflow causes the function to read out-of-bounds memory until a non-zero byte is encountered [CWE-125]. If the out-of-bounds read triggers a heap overflow due to the underlying allocator's behavior, the process may crash. The attack requires no authentication and is sent over the network to a DNSCrypt-enabled Unbound server compiled with `--enable-dnscrypt`.
Affected code
The vulnerable code is in `dnscrypt/dnscrypt.c` within the function `dnscrypt_server_uncurve()`. The while-loop at line 364 decrements `len` and reads from the buffer without verifying that `len` remains non-negative, allowing an out-of-bounds read when the decrypted query contains only 0x00 bytes.
What the fix does
The patch adds a `len>0 &&` guard to the while-loop condition in `dnscrypt/dnscrypt.c` [patch_id=793705]. Before the fix, the loop would unconditionally decrement `len` and call `sldns_buffer_at(buffer, --len)`, which could underflow `len` to a negative value when the entire decrypted payload consists of 0x00 bytes. The new check ensures the loop stops when `len` reaches zero, preventing any out-of-bounds read. After the loop, the subsequent `if (*sldns_buffer_at(buffer, len) != 0x80)` check will correctly reject the malformed packet because the 0x80 marker was never found.
Preconditions
- configUnbound must be compiled with DNSCrypt support (--enable-dnscrypt).
- networkAttacker must be able to send a DNSCrypt query to the vulnerable server.
- inputThe decrypted plaintext of the DNSCrypt query must consist entirely of 0x00 bytes, with no 0x80 marker byte present.
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txtnvdMitigationVendor Advisory
News mentions
0No linked articles in our index yet.