Denial of Service Vulnerability in NLnet Labs Unbound DNS Service
CVE-2026-32792

4.6MEDIUM

Key Information:

Vendor: Nlnet Labs
Status: Unbound
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-32792?

NLnet Labs Unbound version 1.6.2 through 1.25.0 is affected by a denial of service vulnerability when DNSCrypt support is enabled. An incorrectly formatted DNSCrypt query can trigger an underflow which leads Unbound to read beyond the intended memory buffer, potentially causing a heap overflow. This occurs when the data received consists solely of '0x00' bytes and fails to meet the expected format, leading to a situation where the program misreads the memory allocation. While the likelihood of crashing the service is relatively low due to dependencies on memory allocator behavior and layout, it is advisable to update to Unbound version 1.25.1 or later, which includes a mitigation against this vulnerability.

Affected Version(s)

Unbound 1.6.2 < 1.25.1

References

https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792...

vendor-advisory

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 7, 2026

Credit

Andrew Griffiths (calif.io)

CVE-2026-32792 Data

JSON

Nlnet Labs

What is CVE-2026-32792?

Affected Version(s)

References

CVSS V4

Timeline

Credit