Description
rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The rldns DNS server version 1.3 contains a heap-based out-of-bounds read that allows an attacker to trigger a service crash, resulting in denial of service. This vulnerability, identified as CWE-125, occurs when the server reads beyond the bounds of a heap buffer, causing memory corruption that terminates the process. If exploited, the server becomes unavailable to legitimate clients, disrupting DNS resolution for connected networks.

Affected Systems

The affected vendor is bluedragonsecurity, product rldns. Version 1.3 of the software is vulnerable. Version 1.4 contains a patch that eliminates the issue. No other product versions are currently listed as affected.

Risk and Exploitability

The CVSS v3.1 score for this vulnerability is 7.5, indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack is likely remote, triggered by crafted DNS requests that exploit the out-of-bounds read; this inference is drawn from the nature of DNS servers and typical attack vectors for memory corruption flaws. Successful exploitation would cause a denial of service, but does not provide direct code execution or data exfiltration capabilities.

Generated by OpenCVE AI on April 17, 2026 at 14:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rldns to version 1.4 or later, where the heap read issue has been fixed.
  • If upgrading is not immediately possible, replace the vulnerable binary with the patched diff reference rldns-1.4.diff to apply the fix manually.
  • As a temporary operational measure, monitor DNS server uptime and disable the service during unexpected crashes to mitigate service disruption until a full update can be deployed.

Generated by OpenCVE AI on April 17, 2026 at 14:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
Description rldns is an open source DNS server. Version 2.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue. rldns is an open source DNS server. Version 1.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue.

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Bluedragonsecurity
Bluedragonsecurity rldns
Vendors & Products Bluedragonsecurity
Bluedragonsecurity rldns

Thu, 26 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description rldns is an open source DNS server. Version 2.3 has a heap-based out-of-bounds read that leads to denial of service. Version 1.4 contains a patch for the issue.
Title rldns Vulnerable to Heap-based Out-of-Bounds Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Bluedragonsecurity Rldns
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T15:24:12.727Z

Reserved: 2026-02-24T02:32:39.800Z

Link: CVE-2026-27831

cve-icon Vulnrichment

Updated: 2026-02-26T15:14:37.204Z

cve-icon NVD

Status : Deferred

Published: 2026-02-26T01:16:24.770

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27831

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses