Description
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Published: 2026-06-25
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap use‑after‑free bug triggered during error logging on TLS connections. When a DNS query is sent over a DoT connection and the client closes the connection before reading the response, the bug causes NSD to crash, resulting in a denial‑of‑service of the DNS over TLS service for any client attempting to use the server. The flaw does not provide an attacker with code execution or privilege escalation.

Affected Systems

NLnet Labs’ NSD authoritative name server is affected. Versions from 4.13.0 up to, but not including, 4.14.3 contain the flaw. The fix is available in 4.14.3; older releases remain vulnerable.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, but the attack vector is trivial—any DoT client can generate the crash without authentication. The crash leads to a temporary denial of DNS over TLS service, potentially impacting availability for legitimate users.

Generated by OpenCVE AI on June 25, 2026 at 07:22 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 4.14.3.

OpenCVE Recommended Actions

  • Upgrade NSD to version 4.14.3 or later to eliminate the heap use‑after‑free bug
  • If an upgrade cannot be performed immediately, block or filter DNS over TLS traffic from untrusted clients until the patch is applied
  • Continuously monitor server logs for crash events and restart the NSD process as needed to maintain availability

Generated by OpenCVE AI on June 25, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Title Denial of DNS over TLS service by any DoT client
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-25T05:24:18.620Z

Reserved: 2026-06-15T06:47:18.496Z

Link: CVE-2026-12245

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T07:30:17Z

Weaknesses