CVE-2026-12244
Received Received - Intake
NSD Secondary Zone AXFR Heap Overflow via Malicious SVCB RR

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: NLnet Labs

Description
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-12244
EUVD
EUVD-2026-39182
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nlnetlabs nsd From 4.14.0 (inc) to 4.14.2 (inc)
nlnetlabs nsd 4.14.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-12244 is a vulnerability in NSD versions 4.14.0 through 4.14.2 that occurs when NSD is configured as a secondary DNS server for a zone. The primary server can send an AXFR containing a specially crafted SVCB resource record (RR) with an rdata size of 65512 bytes. This causes a heap overflow due to a variable used for memory allocation wrapping around because the total size exceeds 65535. The overflow allows an attacker to perform a controlled heap write of up to 65509 bytes, potentially enabling remote code execution.

Impact Analysis

This vulnerability can have severe impacts, especially in multi-tenant secondary DNS deployments. An attacker controlling the primary DNS server can exploit this flaw to cause a heap overflow in the secondary NSD server, potentially leading to remote code execution. This means the attacker could execute arbitrary code on the affected system, compromising its integrity, availability, and confidentiality.

Mitigation Strategies

To mitigate CVE-2026-12244, users should upgrade NSD to version 4.14.3, which contains the patch for this vulnerability.

Alternatively, users can manually apply the patch to NSD version 4.14.2 and then reinstall the software to fix the issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart