CVE-2026-12246
published 2026-06-25CVE-2026-12246: NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack…
PriorityP346high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.27%
17.8th percentile
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | nsd | >= 4.14.0 < 4.14.3 | 4.14.3 |
| nlnetlabs | nsd | >= 4.14.0 < 4.14.3 | 4.14.3 |
| ubuntu | nsd | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvdv4.07.2HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_ubuntu8.7HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nsd: Out of bounds stack write with crafted APL RR
vendor_redhat·2026-06-25·CVSS 8.1
CVE-2026-12246 [HIGH] CWE-787 nsd: Out of bounds stack write with crafted APL RR
nsd: Out of bounds stack write with crafted APL RR
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
A flaw was found in NSD. A remote attacker, operating as a configured primary DNS server in a multi-tenant secondary DNS deployment, could exploit a bug involving specially crafted Address Prefix List (APL) resource records. By providing an APL record with an adflength larger than permitted, the attacker can overwrite the stack when the zone is written to disk. This could lead to arbitrary code execution or a denial of service.
Statement: This is an Important flaw in NSD, affecting multi-tenant secon
Ubuntu
NSD vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 8.7
CVE-2026-12490 [HIGH] NSD vulnerabilities
Title: NSD vulnerabilities
Summary: NSD could be made to crash or run programs if it received specially
crafted network traffic.
It was discovered that NSD incorrectly handled APL resource records with an
address length larger than permitted for the address family. A remote attacker
could use this to cause a stack-based buffer overflow when the zone is written
to disk, potentially executing arbitrary code with the privileges of the NSD
server. (CVE-2026-12246)
It was discovered that NSD incorrectly handled SVCB resource records. A remote
attacker could use this to cause a heap overflow, potentially executing
arbitrary code with the privileges of the NSD server. This issue only affected
Ubuntu 26.04 LTS. (CVE-2026-12244)
It was discovered that NSD had a use-after-free vulnerability in T
GHSA
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a m
ghsa_unreviewed·2026-06-25
CVE-2026-12246 [HIGH] CWE-20 NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a m
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR [fedora-all]
bugzilla·2026-06-29·CVSS 8.1
CVE-2026-12246 [HIGH] CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR [fedora-all]
CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, where a primary could introduce the rogue APL with the secondary not noticing or only a
Bugzilla
CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR [epel-all]
bugzilla·2026-06-29·CVSS 8.1
CVE-2026-12246 [HIGH] CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR [epel-all]
CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, where a primary could introduce the rogue APL with the secondary not noticing or only aft
Bugzilla
CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR
bugzilla·2026-06-22·CVSS 8.1
CVE-2026-12246 [HIGH] CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR
CVE-2026-12246 nsd: Out of bounds stack write with crafted APL RR
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, where a primary could introduce the rogue APL with the secondary not noticing or only after the fact.
2026-06-25
Published