CVE-2026-12490
published 2026-06-25CVE-2026-12490: When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.14%
3.6th percentile
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nlnet_labs | nsd | >= 4.10.1 < 4.14.3 | 4.14.3 |
| nlnetlabs | nsd | < 4.14.3 | 4.14.3 |
| ubuntu | nsd | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_ubuntu8.7HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nsd: Bypass of client certificate verification with transfer over TLS
vendor_redhat·2026-06-25·CVSS 7.5
CVE-2026-12490 [HIGH] CWE-303 nsd: Bypass of client certificate verification with transfer over TLS
nsd: Bypass of client certificate verification with transfer over TLS
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
A flaw was found in nsd. When a 'provide-xfr' is configured with a 'tls-auth-name', the server incorrectly allows zone transfers without requiring a client certificate if the request comes over TLS on the regular 'tls-port' or over TCP on the regular port, provided other access control conditions are met. This authentication bypass allows an attacker to perform u
Ubuntu
NSD vulnerabilities
vendor_ubuntu·2026-06-25·CVSS 8.7
CVE-2026-12490 [HIGH] NSD vulnerabilities
Title: NSD vulnerabilities
Summary: NSD could be made to crash or run programs if it received specially
crafted network traffic.
It was discovered that NSD incorrectly handled APL resource records with an
address length larger than permitted for the address family. A remote attacker
could use this to cause a stack-based buffer overflow when the zone is written
to disk, potentially executing arbitrary code with the privileges of the NSD
server. (CVE-2026-12246)
It was discovered that NSD incorrectly handled SVCB resource records. A remote
attacker could use this to cause a heap overflow, potentially executing
arbitrary code with the privileges of the NSD server. This issue only affected
Ubuntu 26.04 LTS. (CVE-2026-12244)
It was discovered that NSD had a use-after-free vulnerability in T
VulDB
NLnet Labs NSD up to 4.14.2 Certificate missing authentication (EUVD-2026-39185 / Nessus ID 322955)
vuldb·2026-06-26·CVSS 7.5
CVE-2026-12490 [HIGH] NLnet Labs NSD up to 4.14.2 Certificate missing authentication (EUVD-2026-39185 / Nessus ID 322955)
A vulnerability was found in NLnet Labs NSD up to 4.14.2. It has been rated as critical. Impacted is an unknown function of the component Certificate Handler. This manipulation causes missing authentication.
This vulnerability is tracked as CVE-2026-12490. The attack is possible to be carried out remotely. No exploit exists.
Upgrading the affected component is advised.
GHSA
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name.
ghsa_unreviewed·2026-06-25
CVE-2026-12490 [HIGH] CWE-284 When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name.
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS [epel-all]
bugzilla·2026-06-29·CVSS 7.5
CVE-2026-12490 [HIGH] CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS [epel-all]
CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
When a "provide-xfr" is given with a "tls-auth-name", a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular "tls-port" (and not the "tls-auth-port") or over over TCP over the regular port, when the other conditions of the "provide-xfr" rule match.
The transfer security restrictions for client certificates can be bypassed completely if the attacker ca
Bugzilla
CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS [fedora-all]
bugzilla·2026-06-29·CVSS 7.5
CVE-2026-12490 [HIGH] CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS [fedora-all]
CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
When a "provide-xfr" is given with a "tls-auth-name", a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular "tls-port" (and not the "tls-auth-port") or over over TCP over the regular port, when the other conditions of the "provide-xfr" rule match.
The transfer security restrictions for client certificates can be bypassed completely if the attacker
Bugzilla
CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS
bugzilla·2026-06-22·CVSS 7.5
CVE-2026-12490 [HIGH] CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS
CVE-2026-12490 nsd: Bypass of client certificate verification with transfer over TLS
When a "provide-xfr" is given with a "tls-auth-name", a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular "tls-port" (and not the "tls-auth-port") or over over TCP over the regular port, when the other conditions of the "provide-xfr" rule match.
The transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the "tls-auth-xfr-only" option is not explicitly set to "yes" (which it bydefault is not)
2026-06-25
Published