CVE-2026-32792

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt

Affected packages

Git / github.com/nlnetlabs/unbound

Affected ranges

Type

GIT

Repo

https://github.com/nlnetlabs/unbound

Events

Introduced

93732890aaae9ced2d55ce13b12ce01dc06d9e31

Fixed

75b6dba593d4fff000434cd64807c6ebd50bd244

Database specific

{
    "extracted_events": [
        {
            "introduced": "1.6.2"
        },
        {
            "fixed": "1.25.1"
        }
    ],
    "cpe": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Database specific

vanir_signatures

[
    {
        "digest": {
            "length": 1502.0,
            "function_hash": "26148135886169857913239956572075736548"
        },
        "signature_version": "v1",
        "id": "CVE-2026-32792-7cb89fac",
        "target": {
            "file": "services/rpz.c",
            "function": "rpz_callback_from_iterator_module"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://github.com/nlnetlabs/unbound/commit/75b6dba593d4fff000434cd64807c6ebd50bd244"
    },
    {
        "digest": {
            "line_hashes": [
                "108481287081154918060659085654141150584",
                "73953166938600086918224773195867549742",
                "15251087855327528788980657535362970158",
                "48532896601082718174781974683716349061",
                "287248990686482337183326495344180868363",
                "112058947495561481565691171486557666856",
                "238258467286774268681997190612827183971",
                "126648031849056156900266153546629664662",
                "335401097143186200364020904286165936708",
                "336096779053276656395004922884987906159",
                "248876396313049466881138460638611830858",
                "293135123655960925553682804594622081358",
                "298612071867479354827766089224387452786",
                "217265304546593372824910550975155656654",
                "13292601781282786772501437491204364169",
                "281286782737850123600796590480125479595",
                "74511316679551775089931390035715335201",
                "161066344018382590627892027575409612852",
                "226343512543910522766563315515650712879"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "id": "CVE-2026-32792-a3b17d2e",
        "target": {
            "file": "services/rpz.c"
        },
        "deprecated": false,
        "source": "https://github.com/nlnetlabs/unbound/commit/75b6dba593d4fff000434cd64807c6ebd50bd244",
        "signature_type": "Line"
    }
]

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-32792.json"

vanir_signatures_modified

"2026-05-31T03:35:24Z"