NLnet Labs ldns versions 1.2.0 through 1.9.0 omit critical checks on responses to UDP stub resolver queries. They do not verify that the source of a response matches the destination of the request, nor do they check the query ID and the question section. This flaw permits an off‑path attacker to craft forged DNS responses that the resolver will accept, effectively poisoning the resolver’s cache. The consequence is that legitimate domain name queries can be redirected to malicious IP addresses, enabling a range of attacks such as phishing, data exfiltration, or denial of service without needing direct access to the target system.

All installations of NLnet Labs ldns between version 1.2.0 and 1.9.0, inclusive, are affected when used as a stub resolver over UDP. The bundled drill utility is also vulnerable. Any application that links against these library versions and performs UDP DNS queries, such as custom resolvers or local services relying on ldns, is at risk.

The CVSS score of 8.2 classifies this as a high‑severity issue. EPSS data is not available, but the lack of validation makes the exploit likely on networks where UDP DNS traffic is allowed. The attack vector is off‑path: an attacker can send malicious responses to any resolver that uses the vulnerable ldns library, without needing to intercept existing traffic. Because the vulnerability involves only DNS responses, no key modification is required. As the vulnerability is not listed in KEV, it has not yet been noted as a known exploit, but the theoretical impact remains substantial.