CVE-2026-12245
Received Received - Intake
Heap Use-After-Free in NSD DNS Server

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: NLnet Labs

Description
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-12245
EUVD
EUVD-2026-39183
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nlnetlabs nsd From 4.13.0 (inc) to 4.14.2 (inc)
nlnetlabs nsd 4.14.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-12245 is a vulnerability in NSD versions 4.13.0 through 4.14.2 when configured with DNS over TLS (DoT). It involves a heap use-after-free bug in the error logging mechanism for TLS connections. This bug causes the server process to crash when a client sends a DNS query over a DoT connection and then closes the connection without reading the response.

The vulnerability can be triggered trivially by any client with access to the DoT port (853), leading to repeated crashes and restarts of the server process.

Impact Analysis

This vulnerability can cause the NSD server to crash repeatedly and enter a crash-restart loop when exploited. An attacker can exploit this by sending DNS queries over DoT and closing the connection early, effectively causing a denial of service (DoS) on the DNS over TLS service.

As a result, legitimate users may experience service outages or degraded DNS resolution performance over TLS, impacting availability and reliability of DNS services.

Detection Guidance

This vulnerability can be detected by monitoring the NSD server for crashes or restart loops, especially when DNS over TLS (DoT) connections are used.

Since the issue is triggered by sending a DNS query over a DoT connection and then closing the connection without reading the response, you can attempt to reproduce this behavior to detect the vulnerability.

A suggested approach is to use tools like 'openssl s_client' to establish a TLS connection to the NSD DoT port (853), send a DNS query, and then close the connection prematurely.

  • openssl s_client -connect <nsd_server_ip>:853 -quiet
  • Send a DNS query manually or via a script over this connection and then close it immediately without reading the response.

If the NSD server crashes or restarts repeatedly after such tests, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade NSD to version 4.14.3 or later, where the vulnerability has been fixed.

If upgrading is not immediately possible, apply the manual patch available for NSD 4.14.2 by applying the provided diff file and reinstalling NSD.

As a temporary workaround, consider disabling DNS over TLS (DoT) service to prevent exploitation until the patch or upgrade can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12245. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart