Description
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A specially crafted Service Binding (SVCB) resource record in an AXFR transfer can trigger a heap overflow in the Name Server Daemon (NSD) when it is configured as a secondary for a zone. The overflow occurs because an rdata size of 65512 exceeds the 16‑bit limit, causing an unsigned integer overflow in a variable used for memory allocation. This allows an attacker to perform a controlled head write of up to 65509 bytes, which is classified as a remote code execution class vulnerability.

Affected Systems

The vulnerability affects the NLnet Labs NSD server. Versions prior to 4.14.3 are impacted; the issue was addressed in the 4.14.3 release.

Risk and Exploitability

With a CVSS score of 8.7, this is a high‑severity issue. The EPSS score is currently unavailable, and it is not listed in the CISA KEV catalog, so a precise exploitation probability is undetermined. If an adversary can control a zone’s primary server to send a malicious AXFR, the attack path is straightforward and can result in a crash or potential code execution on the secondary host.

Generated by OpenCVE AI on June 25, 2026 at 07:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 4.14.3.

OpenCVE Recommended Actions

  • Upgrade to NSD version 4.14.3 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, consider disabling AXFR functionality or preventing NSD from acting as a secondary for zones controlled by untrusted primaries.
  • After the upgrade or configuration change, monitor system logs for any attempts to trigger DNS transfers from unknown sources to confirm that the vulnerability is no longer exploitable.

Generated by OpenCVE AI on June 25, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Title Heap overflow and crash with crafted SVCB RR
Weaknesses CWE-122
CWE-190
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-25T05:24:08.548Z

Reserved: 2026-06-15T06:46:44.866Z

Link: CVE-2026-12244

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T07:30:17Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow

  • CWE-190

    Integer Overflow or Wraparound