CVE-2026-12244 PUBLISHED

Heap overflow and crash with crafted SVCB RR

Assigner: NLnet Labs
Reserved: 15.06.2026 Published: 25.06.2026 Updated: 25.06.2026

If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Processing of a zonefile containing a crafted SVCB. These can be provided by a trusted primary

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	Low
User Interaction	None

Processing of a zonefile containing a crafted SVCB. These can be provided by a trusted primary

CVSS 4.0

Product Status

Vendor	NLnet Labs
Product	NSD
Versions	Default: unaffected affected from 4.14.0 to 4.14.3 (excl.)

Solutions

This issue is fixed starting with version 4.14.3.

Credits

Qifan Zhang from Palo Alto Networks finder

References

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt

Problem Types

CWE-190: Integer Overflow or Wraparound CWE
CWE-122: Heap-based Buffer Overflow CWE