Skip to main content

NLnet Labs ldns CVE-2026-10846

| EUVDEUVD-2026-35991 HIGH
Origin Validation Error (CWE-346)
2026-06-10 NLnet Labs GHSA-x77r-8q36-8529
8.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 10, 2026 - 09:21 vuln.today
Patch available
Jun 10, 2026 - 08:01 EUVD
CVSS changed
Jun 10, 2026 - 07:22 NVD
8.2 (HIGH)
CVE Published
Jun 10, 2026 - 06:37 nvd
UNKNOWN (no severity yet)

DescriptionNVD

NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query destination address and port with the response source address and port. Furthermore not the query ID, neither the question of the query is matched with that of the response. This makes applications, that use ldns for (stub) resolver functionality over UDP, vulnerable for off-path poisoning attacks. The drill tool, which is shipped with ldns, suffers from this vulnerability.

AnalysisAI

Off-path DNS response spoofing in NLnet Labs ldns 1.2.0 through 1.9.0 allows remote attackers to inject forged answers into applications that use the library as a UDP stub resolver, including the bundled drill tool. The library fails to validate the response source address/port, the query transaction ID, and the question section against the original query, making cache and answer poisoning feasible without on-path positioning. No public exploit identified at time of analysis, but the CVSS 4.0 score of 8.2 reflects high integrity impact on any downstream application that trusted ldns to validate DNS answers.

Technical ContextAI

ldns is a widely embedded C library from NLnet Labs (the maintainers of Unbound and NSD) used to build DNS-aware tools and stub resolvers; it is shipped with the drill diagnostic utility and is consumed by numerous downstream packages. The root cause maps to CWE-346 (Origin Validation Error): when a UDP query is sent, a compliant stub resolver must verify that the response arrives from the exact 5-tuple it queried and that the DNS header transaction ID and question section echo the request. Per the vendor advisory, ldns performed none of these checks on the UDP path, so any UDP datagram reaching the client's listening socket could be accepted as the answer. The affected CPE is cpe:2.3:a:nlnet_labs:ldns and the bug is exclusive to the UDP stub resolver code path - TCP and full recursive resolvers (e.g., Unbound) are not implicated.

RemediationAI

Vendor-released patch: upgrade to ldns 1.9.1 or later, which adds the missing source-address, source-port, transaction-ID, and question-section matching on UDP responses, per the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/ldns/CVE-2026-10846.txt. Downstream packages that statically link or vendor ldns must be rebuilt against 1.9.1; redistribute updated binaries of drill at the same time. Where immediate patching is not possible, force resolution over TCP (e.g., configure callers to set TCP-only or use a trusted local recursive resolver like Unbound and have ldns talk to it on loopback) to remove the off-path UDP window, accepting the latency and connection-state overhead this adds; alternatively, restrict the host's outbound DNS to a single trusted resolver via firewall rules and drop inbound UDP/53 from any other source to shrink the spoofing surface, noting this does not stop on-path attackers and breaks split-horizon setups.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected

Share

CVE-2026-10846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy