CVE-2026-32792 NLnet Labs CVE debrief

Who should care

Operators running Unbound with DNSCrypt enabled should prioritize this advisory, especially if the resolver accepts untrusted network traffic. Package maintainers and appliance vendors shipping affected Unbound builds should also verify whether their builds include DNSCrypt support and whether they need to roll out the fixed release.

Technical summary

NVD classifies the issue as network-exploitable with no privileges or user interaction required and rates it 4.6 (Medium). The flaw is a memory-safety problem in DNSCrypt packet parsing: a malformed decrypted payload can make Unbound read beyond the intended buffer while searching for a marker byte, which may lead to heap overflow and then a crash depending on allocator behavior and memory layout. If overflow does not occur, later packet checks may reject the packet. The affected range is Unbound 1.6.2 through 1.25.0, and the fix is in 1.25.1.

Defensive priority

Medium priority: patch promptly if DNSCrypt support is enabled, because the issue is remotely triggerable and can cause denial of service, but the vendor notes the crash likelihood is low and depends on heap layout.

Recommended defensive actions

• Upgrade Unbound to 1.25.1 or later.
• Verify whether your Unbound build was compiled with DNSCrypt support (--enable-dnscrypt).
• If you cannot upgrade immediately, remove or disable DNSCrypt support where operationally feasible.
• Check package/vendor releases for backported fixes if you rely on distribution builds.
• Monitor affected resolvers for unexpected crashes or restarts until patched.

Evidence notes

This debrief is based on the official NVD record for CVE-2026-32792 and the linked NLnet Labs vendor advisory. NVD marks the vulnerability as analyzed, lists affected Unbound versions from 1.6.2 up to but not including 1.25.1, and includes the vendor reference dated the same publication day as the CVE.

Official resources