Fedora Account System
Red Hat Associate
Red Hat Customer
A malicious actor can exploit the vulnerability with a single bad DNSCrypt query that its decrypted plaintext consists entirely of `0x00` bytes and does not contain the expected `0x80` marker. Unbound would then start reading more bytes than necessary until it finds a non-`0x00` byte. Based on the underlying memory allocator and the memory layout, it could lead to heap overflow while reading followed by a crash. Likelihood of a crash is low, since it relies heavily on the underlying memory allocator and the memory layout. If the heap overflow does not happen, Unbound's later packet checks will deny the packet. Unbound 1.25.1 includes a fix to bound reading in the given buffer space.