CVE-2026-12244
Analyzed Analyzed - Analysis Complete

NSD Secondary Zone AXFR Heap Overflow via Malicious SVCB RR

Vulnerability report for CVE-2026-12244, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: NLnet Labs

Description

If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nlnetlabs nsd From 4.14.0 (inc) to 4.14.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-12244 is a vulnerability in NSD versions 4.14.0 through 4.14.2 that occurs when NSD is configured as a secondary DNS server for a zone. The primary server can send an AXFR containing a specially crafted SVCB resource record (RR) with an rdata size of 65512 bytes. This causes a heap overflow due to a variable used for memory allocation wrapping around because the total size exceeds 65535. The overflow allows an attacker to perform a controlled heap write of up to 65509 bytes, potentially enabling remote code execution.

Impact Analysis

This vulnerability can have severe impacts, especially in multi-tenant secondary DNS deployments. An attacker controlling the primary DNS server can exploit this flaw to cause a heap overflow in the secondary NSD server, potentially leading to remote code execution. This means the attacker could execute arbitrary code on the affected system, compromising its integrity, availability, and confidentiality.

Mitigation Strategies

To mitigate CVE-2026-12244, users should upgrade NSD to version 4.14.3, which contains the patch for this vulnerability.

Alternatively, users can manually apply the patch to NSD version 4.14.2 and then reinstall the software to fix the issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability specifically involves NSD configured as a secondary server receiving a malicious AXFR transfer containing a specially crafted SVCB resource record with an rdata size of 65512 that triggers a heap overflow.

Detection would involve monitoring AXFR zone transfers from the primary to the secondary NSD server and inspecting DNS messages for unusually large SVCB resource records, particularly those with rdata sizes near 65512 bytes.

Since the attack is triggered by a crafted AXFR transfer, one approach is to capture and analyze DNS traffic using tools like tcpdump or Wireshark to filter for AXFR transfers and inspect the SVCB RRs.

  • Use tcpdump to capture AXFR transfers: tcpdump -i <interface> port 53 and filter for AXFR queries and responses.
  • Use tshark or Wireshark to analyze captured DNS traffic and filter for SVCB resource records with large rdata sizes.
  • Check NSD logs for any crashes or abnormal behavior during zone transfers from the primary server.

However, no specific detection commands or signatures are provided in the available resources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart