Description
NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.
Published: 2026-05-20
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unbound versions 1.6.2 to 1.25.0 compiled with DNSCrypt support can be stressed by a single malicious DNSCrypt query whose decrypted payload consists entirely of 0x00 bytes and lacks the expected 0x80 marker. Unbound reads more bytes than it is supposed to, potentially causing a heap overflow during the packet reading step. Even if the overflow does not occur, the packet will fail validation and be rejected, resulting in a denial of service. The vulnerability is classified by CWE-125 (Buffer Under-read) and CWE-166 (Buffer Underflow). The real impact is a service crash or repeated packet rejection, compromising availability.

Affected Systems

NLnet Labs Unbound, versions 1.6.2 through 1.25.0 when built with the '--enable-dnscrypt' option. Users who update to 1.25.1 or later have the bound-reading fix applied.

Risk and Exploitability

The CVSS score of 4.6 indicates a moderate severity. EPSS is not available, so the exploitation likelihood is uncertain, but the vulnerability requires only a single ill‑formed DNSCrypt query sent over the network, making it a remote attack vector. The exploit does not rely on privileged access or local execution, only availability. The vulnerability is not listed in the CISA KEV catalog, reducing the immediate threat pressure but still presenting a risk to systems that rely heavily on DNSCrypt for secure DNS resolution.

Generated by OpenCVE AI on May 20, 2026 at 11:50 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 1.25.1

OpenCVE Recommended Actions

  • Upgrade Unbound to version 1.25.1 or later to apply the bound-reading patch.
  • If an upgrade is not immediately possible, disable the '--enable-dnscrypt' build option or configuration setting to remove the vulnerable code path.
  • Apply firewall rules or rate‑limit incoming DNSCrypt traffic to mitigate potential repeated denial‑of‑service attempts.

Generated by OpenCVE AI on May 20, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8282-1 Unbound vulnerabilities
History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.
Title Packet of death with DNSCrypt
Weaknesses CWE-125
CWE-166
References
Metrics cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-05-20T12:16:06.804Z

Reserved: 2026-05-07T10:07:51.839Z

Link: CVE-2026-32792

cve-icon Vulnrichment

Updated: 2026-05-20T12:16:01.439Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:26.277

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-32792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T12:00:12Z

Weaknesses