CVE-2026-12244
published 2026-06-25CVE-2026-12244: If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.30%
21.9th percentile
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | nsd | >= 4.14.0 < 4.14.3 | 4.14.3 |
| nlnetlabs | nsd | >= 4.14.0 < 4.14.3 | 4.14.3 |
| ubuntu | nsd | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.8HIGH
vendor_ubuntu8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (ui
ghsa_unreviewed·2026-06-25
CVE-2026-12244 [HIGH] CWE-122 If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (ui
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Red Hat
nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
vendor_redhat·2026-06-25·CVSS 8.8
CVE-2026-12244 [HIGH] CWE-787 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
A flaw was found in nsd. When nsd is configured as a secondary server for a zone, a remote attacker, acting as the primary server for that zone, can send a specially crafted DNS message within an AXFR (Asynchronous Full Zone Transfer) request. This message, containing a malformed SVCB (Se
Ubuntu
NSD vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 8.7
CVE-2026-12490 [HIGH] NSD vulnerabilities
Title: NSD vulnerabilities
Summary: NSD could be made to crash or run programs if it received specially
crafted network traffic.
It was discovered that NSD incorrectly handled APL resource records with an
address length larger than permitted for the address family. A remote attacker
could use this to cause a stack-based buffer overflow when the zone is written
to disk, potentially executing arbitrary code with the privileges of the NSD
server. (CVE-2026-12246)
It was discovered that NSD incorrectly handled SVCB resource records. A remote
attacker could use this to cause a heap overflow, potentially executing
arbitrary code with the privileges of the NSD server. This issue only affected
Ubuntu 26.04 LTS. (CVE-2026-12244)
It was discovered that NSD had a use-after-free vulnerability in T
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [epel-all]
bugzilla·2026-06-29·CVSS 8.8
CVE-2026-12244 [HIGH] CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [epel-all]
CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes.
Even though the data is from a config
Bugzilla
CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [fedora-all]
bugzilla·2026-06-29·CVSS 8.8
CVE-2026-12244 [HIGH] CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [fedora-all]
CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes.
Even though the data is from a conf
Bugzilla
CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
bugzilla·2026-06-22·CVSS 8.8
CVE-2026-12244 [HIGH] CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
CVE-2026-12244 nsd: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes.
Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, given the potential severity of the attack.
2026-06-25
Published