Skip to main content

NSD CVE-2026-12244

| EUVDEUVD-2026-39182 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-25 NLnet Labs GHSA-p22w-wq6p-g85g
8.7
CVSS 4.0 · Vendor: NLnet Labs
Share

Severity by source

Vendor (NLnet Labs) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-delivered via AXFR (AV:N), low complexity (AC:L), but requires the trusted primary role so PR:L; controlled heap write yields high C/I/A with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
8.0 HIGH
qualitative

Primary rating from Vendor (NLnet Labs).

CVSS VectorVendor: NLnet Labs

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 08:01 EUVD
Analysis Generated
Jun 25, 2026 - 07:00 vuln.today

DescriptionCVE.org

If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes

AnalysisAI

Heap overflow in NLnet Labs NSD allows a malicious or compromised zone primary to corrupt memory on a secondary (slave) NSD instance by sending an AXFR transfer containing a crafted SVCB resource record. An rdata size of 65512 causes a uint16_t length variable used for RR allocation to wrap (total size exceeds 65535), producing an undersized buffer and a controlled out-of-bounds write of up to 65509 bytes - an RCE-class primitive (CWE-190 integer overflow leading to heap overflow). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or compromise zone primary
Delivery
Victim secondary initiates AXFR
Exploit
Send crafted SVCB RR rdata size 65512
Execution
uint16_t allocation size wraps small
Persist
Heap buffer overflow up to 65509 bytes
Impact
Controlled write achieves RCE or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim NSD instance is configured as a secondary for at least one zone, and that the attacker controls the primary for that zone (or can supply the AXFR response as a malicious/compromised primary, or impersonate it where TSIG is not enforced) - the malicious payload is delivered inside an AXFR zone transfer as an SVCB resource record with an rdata size of exactly 65512 bytes, which is the value that wraps the uint16_t allocation size. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, base 8.7) reflects a network-reachable, low-complexity attack with high impact to confidentiality, integrity, and availability, requiring some privilege (PR:L) - consistent with the description, which states the attack must come from the configured primary of a zone that the victim NSD secondaries. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or has compromised the primary nameserver for a zone (or can impersonate it on-path where TSIG is absent) waits for or triggers an AXFR from a victim NSD secondary, then serves a zone-transfer message containing a crafted SVCB record with rdata length 65512. The 16-bit allocation size wraps, NSD copies up to 65509 attacker-chosen bytes past the undersized heap buffer, and the attacker leverages the controlled write toward code execution or a crash on the secondary. …
Remediation Upgrade NSD to the fixed release identified in the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt; the exact patched version number is not included in the provided data and must be taken from that advisory - patch available per vendor advisory, version to be confirmed from the source. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all NSD instances configured as secondary servers; verify zone transfer source ACLs restrict access to known, trusted primaries only; search logs for unusual zone transfer requests (AXFR). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Important

Share

CVE-2026-12244 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy