Description
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Published: 2026-06-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NSD version 4.14.0 contains a flaw that allows a specially crafted APL resource record with an adflength value larger than allowed to overwrite the stack when the zone data is written to disk. The overwrite can include up to 111 attacker‑controlled bytes, which could corrupt critical program data, crash NSD, or allow execution of stray instructions. This vulnerability is a stack-based buffer overflow (CWE-120), an input validation error (CWE-20), and an out‑of‑bounds write (CWE-787).

Affected Systems

The vulnerability affects NSD from NLnet Labs, specifically version 4.14.0. The issue was addressed in the subsequent release, 4.14.3, and later versions are not impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity. The EPSS score of 0.00265 (approximately 0.265%) indicates a low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. An attacker would likely need to supply or modify a zone file that NSD processes, enabling remote exploitation if zone updates are accepted from unauthenticated sources or if an attacker can influence zone data before it is written to disk.

Generated by OpenCVE AI on June 30, 2026 at 01:54 UTC.

Remediation

Vendor Solution

This issue is fixed starting with version 4.14.3.


OpenCVE Recommended Actions

  • Upgrade NSD to version 4.14.3 or later.
  • Restrict write access to zone files to trusted personnel and processes only.
  • Monitor NSD logs for abnormal or unauthorized zone update activity.

Generated by OpenCVE AI on June 30, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8474-1 NSD vulnerabilities
History

Tue, 30 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.0, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nlnetlabs
Nlnetlabs nsd
Vendors & Products Nlnetlabs
Nlnetlabs nsd
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Title Out of bounds stack write with crafted APL RR
Weaknesses CWE-120
CWE-20
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: NLnet Labs

Published:

Updated: 2026-06-25T12:42:05.428Z

Reserved: 2026-06-15T06:47:44.761Z

Link: CVE-2026-12246

cve-icon Vulnrichment

Updated: 2026-06-25T12:42:00.963Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-12246 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T02:00:05Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-20

    Improper Input Validation

  • CWE-787

    Out-of-bounds Write