CVE-2026-12245 PUBLISHED

Denial of DNS over TLS service by any DoT client

Assigner: NLnet Labs
Reserved: 15.06.2026 Published: 25.06.2026 Updated: 25.06.2026

NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.7

Any client with access to the DoT port (853) can keep all iserve children in a crash-restart loop denying DoT service

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

Any client with access to the DoT port (853) can keep all iserve children in a crash-restart loop denying DoT service

CVSS 4.0

Product Status

Vendor	NLnet Labs
Product	NSD
Versions	Default: unaffected affected from 4.13.0 to 4.14.3 (excl.)

Solutions

This issue is fixed starting with version 4.14.3.

Credits

Qifan Zhang from Palo Alto Networks finder

References

https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt

Problem Types

CWE-416: Use After Free CWE