Description
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Published: 2026-06-25
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NSD version 4.14.0 contains a flaw that allows a specially crafted APL resource record with an adflength value larger than allowed to overwrite the stack when the zone data is written to disk. The overwrite can include up to 111 attacker‑controlled bytes, which could corrupt critical program data, crash NSD, or allow execution of stray instructions.

Affected Systems

The vulnerability affects NSD from NLnet Labs, specifically version 4.14.0. The issue was addressed in the subsequent release, 4.14.3, and later versions are not impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. The exploit probability is not quantified in EPSS, and the vulnerability is not listed in CISA KEV. An attacker would likely need to supply or modify a zone file that NSD processes, enabling remote exploitation if zone updates are accepted from unauthenticated sources or if an attacker can influence zone data before it is written to disk.

Generated by OpenCVE AI on June 25, 2026 at 07:51 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 4.14.3.

OpenCVE Recommended Actions

  • Upgrade NSD to version 4.14.3 or later.
  • Restrict write access to zone files to trusted personnel and processes only.
  • Monitor NSD logs for abnormal or unauthorized zone update activity.

Generated by OpenCVE AI on June 25, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Title Out of bounds stack write with crafted APL RR
Weaknesses CWE-120
CWE-20
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-25T05:24:29.512Z

Reserved: 2026-06-15T06:47:44.761Z

Link: CVE-2026-12246

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T08:00:15Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-20

    Improper Input Validation