Description
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A specially crafted Service Binding (SVCB) resource record in an AXFR transfer can trigger a heap overflow in the Name Server Daemon (NSD) when it is configured as a secondary for a zone. The overflow occurs because an rdata size of 65512 exceeds the 16-bit limit, causing an unsigned integer overflow in a variable used for memory allocation. This allows an attacker to perform a controlled head write of up to 65509 bytes, which is classified as a remote code execution class vulnerability.

Affected Systems

The vulnerability affects the NLnet Labs NSD server. Versions prior to 4.14.3 are impacted; the issue was addressed in the 4.14.3 release.

Risk and Exploitability

With a CVSS score of 8.7, this is a high-severity issue. The EPSS score of 0.00303 indicates a very low but non-zero exploitation probability, and it is not listed in the CISA KEV catalog, so a precise exploitation probability is undetermined. If an adversary can control a zone’s primary server to send a malicious AXFR, the attack path is straightforward and can result in a crash or potential code execution on the secondary host.

Generated by OpenCVE AI on June 30, 2026 at 01:55 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 4.14.3.


OpenCVE Recommended Actions

  • Upgrade to NSD version 4.14.3 or later to apply the vendor fix.
  • If an upgrade cannot be performed immediately, consider disabling AXFR functionality or preventing NSD from acting as a secondary for zones controlled by untrusted primaries.
  • After the upgrade or configuration change, monitor system logs for any attempts to trigger DNS transfers from unknown sources to confirm that the vulnerability is no longer exploitable.

Generated by OpenCVE AI on June 30, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8474-1 NSD vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs nsd
Vendors & Products Nlnetlabs
Nlnetlabs nsd
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Title Heap overflow and crash with crafted SVCB RR
Weaknesses CWE-122
CWE-190
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-25T12:45:34.403Z

Reserved: 2026-06-15T06:46:44.866Z

Link: CVE-2026-12244

cve-icon Vulnrichment

Updated: 2026-06-25T12:45:30.211Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-12244 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:00:05Z

Weaknesses