Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27831 is a high-severity heap-based out-of-bounds read vulnerability in rldns version 1.3, an open-source lightweight DNS server. The issue arises in the DNS QNAME parsing logic when constructing a printable domain string (_name) on the heap. The allocation size for _name is based on the sum of label lengths, but the code inserts '.' separators between labels without accounting for the extra bytes, leading to a non-NUL-terminated string under certain multi-label QNAME inputs (notably with three or more labels)."}, {'type': 'paragraph', 'content': 'Because _name is not properly NUL-terminated, the subsequent call to strlen(_name) reads beyond the allocated heap buffer boundary, causing a heap out-of-bounds read. This flaw can be triggered remotely by sending a specially crafted DNS query to the rldns service, causing the daemon to crash or abort, resulting in a denial of service (DoS).'}, {'type': 'paragraph', 'content': 'The root cause is insufficient validation of the received packet length against label length octets during QNAME parsing, allowing malformed or truncated DNS packets to corrupt heap buffer construction. The vulnerability requires no authentication and affects only rldns version 1.3; it was fixed in version 1.4.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows remote, unauthenticated attackers to cause a denial of service (DoS) by crashing the rldns daemon through crafted DNS queries. The impact is a disruption of availability of the DNS service provided by rldns.

There are no demonstrated impacts on confidentiality or integrity, such as information leakage or remote code execution. The main consequence is that the DNS server becomes unavailable, potentially affecting network services relying on it.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal termination of the rldns daemon when it receives malformed DNS queries. Specifically, crafted DNS queries with malformed QNAME labels (notably with three or more labels and invalid length octets) can trigger the heap out-of-bounds read and cause the daemon to crash.

To detect exploitation attempts or reproduce the issue, one can use fuzzing tools such as honggfuzz combined with AddressSanitizer (ASan) to capture heap out-of-bounds reads and crashes in rldns version 1.3.

Since the vulnerability is triggered by specially crafted DNS queries sent to the network-reachable rldns service (UDP/TCP port 53 or configured port), network monitoring tools can be configured to detect unusual or malformed DNS packets with abnormal QNAME structures.

• Use honggfuzz with AddressSanitizer to fuzz the rldns DNS query parser and detect crashes.
• Monitor system logs for rldns daemon crashes or aborts triggered by malformed DNS queries.
• Capture and analyze DNS traffic on UDP/TCP port 53 for malformed DNS queries with multi-label QNAMEs lacking proper termination.

Useful 0 Not Useful 0

Mitigation Strategies

The primary and recommended mitigation is to upgrade rldns from version 1.3 to version 1.4, where the vulnerability has been fixed by correcting the QNAME parsing logic to ensure proper NUL-termination and robust validation against packet length.

No other effective workarounds or mitigations exist, as the vulnerability can be triggered remotely without authentication by sending crafted DNS queries.

• Upgrade rldns to version 1.4 immediately.
• If upgrading is not immediately possible, consider restricting access to the rldns service (UDP/TCP port 53) to trusted clients only, to reduce exposure to crafted queries.
• Monitor the rldns daemon for crashes and restart it promptly if it aborts.

Useful 0 Not Useful 0