Description
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Published: 2026-06-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap use‑after‑free bug triggered during error logging on TLS connections. When a DNS query is sent over a DoT connection and the client closes the connection before reading the response, the bug causes NSD to crash, resulting in a denial‑of‑service of the DNS over TLS service for any client attempting to use the server. Based on the description, it is inferred that the flaw does not provide an attacker with code execution or privilege escalation.

Affected Systems

NLnet Labs’ NSD authoritative name server is affected. Versions from 4.13.0 up to, but not including, 4.14.3 contain the flaw. The fix is available in 4.14.3; older releases remain vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS score of < 1% indicates a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is trivial—any DoT client can generate the crash without authentication. The crash leads to a temporary denial of DNS over TLS service, potentially impacting availability for legitimate users.

Generated by OpenCVE AI on June 30, 2026 at 03:24 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 4.14.3.


OpenCVE Recommended Actions

  • Upgrade NSD to version 4.14.3 or later to eliminate the heap use‑after‑free bug
  • If an upgrade cannot be performed immediately, block or filter DNS over TLS traffic from untrusted clients until the patch is applied
  • Continuously monitor server logs for crash events and restart the NSD process as needed to maintain availability

Generated by OpenCVE AI on June 30, 2026 at 03:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8474-1 NSD vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs nsd
Vendors & Products Nlnetlabs
Nlnetlabs nsd
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Title Denial of DNS over TLS service by any DoT client
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-25T12:42:50.104Z

Reserved: 2026-06-15T06:47:18.496Z

Link: CVE-2026-12245

cve-icon Vulnrichment

Updated: 2026-06-25T12:42:36.299Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-12245 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T03:30:05Z

Weaknesses