The CVE number for this vulnerability is CVE-2026-32792.


== Summary
A denial of service vulnerability has been discovered in Unbound when compiled
with DNSCrypt support (--enable-dnscrypt).
A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading
procedure that may lead to heap overflow.

Unbound 1.25.1 includes a fix to bound reading in the given buffer space.


== Affected products
Unbound 1.6.2 up to and including version 1.25.0.


== Description
A malicious actor can exploit the vulnerability with a single bad DNSCrypt
query that its decrypted plaintext consists entirely of `0x00` bytes and does
not contain the expected `0x80` marker.

Unbound would then start reading more bytes than necessary until it finds a
non-`0x00` byte.
Based on the underlying memory allocator and the memory layout, it could lead
to heap overflow while reading followed by a crash.

Likelihood of a crash is low, since it relies heavily on the underlying memory
allocator and the memory layout.

If the heap overflow does not happen, Unbound's later packet checks will deny
the packet.

Unbound 1.25.1 includes a fix to bound reading in the given buffer space.


== Mitigation

=== Downloading patched version
Unbound 1.25.1 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.25.1.tar.gz

=== Applying the patch manually
For Unbound 1.25.0 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-32792.diff

Apply the patch on the Unbound source directory with:
    patch -p1 < patch_CVE-2026-32792.diff
then run 'make install' to install Unbound.

The patch is tested to work on Unbound 1.25.0.


== Acknowledgments
We would like to thank Andrew Griffiths from 'calif.io' for discovering and
responsibly disclosing the vulnerability.