Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered via AXFR (AV:N), low complexity (AC:L), but requires the trusted primary role so PR:L; controlled heap write yields high C/I/A with no scope change.
Primary rating from Vendor (NLnet Labs).
CVSS VectorVendor: NLnet Labs
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
AnalysisAI
Heap overflow in NLnet Labs NSD allows a malicious or compromised zone primary to corrupt memory on a secondary (slave) NSD instance by sending an AXFR transfer containing a crafted SVCB resource record. An rdata size of 65512 causes a uint16_t length variable used for RR allocation to wrap (total size exceeds 65535), producing an undersized buffer and a controlled out-of-bounds write of up to 65509 bytes - an RCE-class primitive (CWE-190 integer overflow leading to heap overflow). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim NSD instance is configured as a secondary for at least one zone, and that the attacker controls the primary for that zone (or can supply the AXFR response as a malicious/compromised primary, or impersonate it where TSIG is not enforced) - the malicious payload is delivered inside an AXFR zone transfer as an SVCB resource record with an rdata size of exactly 65512 bytes, which is the value that wraps the uint16_t allocation size. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H, base 8.7) reflects a network-reachable, low-complexity attack with high impact to confidentiality, integrity, and availability, requiring some privilege (PR:L) - consistent with the description, which states the attack must come from the configured primary of a zone that the victim NSD secondaries. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or has compromised the primary nameserver for a zone (or can impersonate it on-path where TSIG is absent) waits for or triggers an AXFR from a victim NSD secondary, then serves a zone-transfer message containing a crafted SVCB record with rdata length 65512. The 16-bit allocation size wraps, NSD copies up to 65509 attacker-chosen bytes past the undersized heap buffer, and the attacker leverages the controlled write toward code execution or a crash on the secondary. … |
| Remediation | Upgrade NSD to the fixed release identified in the NLnet Labs advisory at https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt; the exact patched version number is not included in the provided data and must be taken from that advisory - patch available per vendor advisory, version to be confirmed from the source. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all NSD instances configured as secondary servers; verify zone transfer source ACLs restrict access to known, trusted primaries only; search logs for unusual zone transfer requests (AXFR). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote denial-of-service in NLnet Labs NSD (authoritative DNS name server) version 4.13.0 and later allows an unauthenti
Zone-transfer authentication bypass in NLnet Labs NSD allows unauthorized secondaries to obtain full zone contents witho
NSD before 4.1.11 allows remote DNS master servers to cause a denial of service (/tmp disk consumption and slave server
Stack buffer overflow in NSD 4.14.0 (NLnet Labs authoritative DNS server) allows a party able to introduce zone data to
query.c in NSD 3.0.x through 3.0.8, 3.1.x through 3.1.1, and 3.2.x before 3.2.12 allows remote attackers to cause a deni
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: ImportantShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39182
GHSA-p22w-wq6p-g85g