Skip to main content

NLnet Labs Unbound EUVDEUVD-2026-31077

| CVE-2026-32792 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-20 sep@nlnetlabs.nl GHSA-8v34-57vr-p4cp
4.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
May 20, 2026 - 11:02 EUVD
Analysis Generated
May 20, 2026 - 10:32 vuln.today

DescriptionCVE.org

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space.

AnalysisAI

Heap out-of-bounds read in Unbound's DNSCrypt packet handling allows a remote unauthenticated attacker to potentially crash the resolver with a single malformed query, causing denial of service. Affected are all Unbound installations from version 1.6.2 through 1.25.0 that were compiled with the optional '--enable-dnscrypt' flag. The crash is probabilistic rather than guaranteed - whether the out-of-bounds read escalates to a heap overflow depends entirely on the memory allocator behavior and heap layout at runtime; absent a crash, Unbound's own packet validation will discard the offending query. No public exploit exists and no active exploitation has been identified at time of analysis.

Technical ContextAI

Unbound is a validating, recursive, caching DNS resolver maintained by NLnet Labs. DNSCrypt is an optional protocol layered over DNS that encrypts and authenticates resolver traffic; it is compiled into Unbound only when the build flag '--enable-dnscrypt' is explicitly set, making it a non-default deployment configuration. The root cause is CWE-125 (Out-of-bounds Read): the DNSCrypt packet reading procedure performs an underflow on its read position when the decrypted plaintext of a received query consists entirely of 0x00 bytes and therefore lacks the expected 0x80 marker byte. Instead of bounding reads to the declared buffer space, the code continues scanning forward through memory until it encounters a non-zero byte. Depending on what occupies adjacent heap memory, this unbounded scan can produce a heap overflow condition, ultimately crashing the Unbound process. The vendor-confirmed fix in 1.25.1 adds an explicit bounds check so that reading is constrained within the legitimate buffer window.

RemediationAI

The primary remediation is upgrading to Unbound 1.25.1, which contains a vendor-released patch that bounds the DNSCrypt buffer read to the declared buffer space, eliminating the out-of-bounds condition. The advisory is at https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt. For operators who cannot immediately upgrade, the most effective compensating control is to recompile Unbound without the '--enable-dnscrypt' flag if DNSCrypt is not operationally required - this entirely removes the vulnerable code path with no DNS resolution impact, though it eliminates DNSCrypt-encrypted client support. If DNSCrypt is required and patching is deferred, restricting access to the DNSCrypt listener port (typically UDP/443 or a custom port) to known trusted client IP ranges via firewall rules reduces the attack surface at the cost of blocking legitimate DNSCrypt clients from untrusted networks. Network-layer rate limiting of DNSCrypt traffic is a weaker mitigation that does not prevent the vulnerability but may reduce crash probability under sustained attack.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

EUVD-2026-31077 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy