Do Son 
- Product: NLnet Labs NSD
- Vulnerabilities: 4 flaws (CVE-2026-12244, CVE-2026-12245, CVE-2026-12246, CVE-2026-12490)
- Highest severity: 8.8 (High · CVSSv3)
- Worst impact: Heap overflow and crash with crafted SVCB RR
- Status: No confirmed exploitation yet; patches available
- Action: Update to 4.14.3 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-12244 | 8.7 | Heap overflow and crash with crafted SVCB RR | 4.14.3 | Not exploited |
| CVE-2026-12245 | 8.7 | Denial of DNS over TLS service by any DoT client | 4.14.3 | Not exploited |
| CVE-2026-12490 | 8.2 | Bypass of client certificate verification with transfer over TLS | 4.14.3 | Not exploited |
| CVE-2026-12246 | 7.2 | Out of bounds stack write with crafted APL RR | 4.14.3 | Not exploited |
TL;DR
NLnet Labs recently released version 4.14.3 of the Name Server Daemon (NSD) to patch four severe security flaws. Specifically, these NSD DNS vulnerabilities expose servers to heap overflows and persistent denial-of-service loops. As a result, the flaws primarily affect multi-tenant secondary DNS deployments operating in complex environments. Therefore, administrators must apply the patches immediately to maintain reliable service availability for their users.
Why It Matters
Fundamentally, these bugs threaten the stability of vital DNS infrastructure across the internet. Moreover, a crashed server quickly halts name resolution for all affected network zones. Ultimately, malicious actors can abuse these weaknesses to execute unauthorized code or disrupt critical services entirely.
Vulnerability Mechanisms
CVE-2026-12244: Heap Overflow
First, a primary server can send a malicious AXFR request to a vulnerable secondary. This request typically contains a specially crafted SVCB resource record payload. Next, the oversized rdata wraps a critical 16-bit allocation variable. Consequently, this action triggers a heap overflow during essential memory allocation processes.
CVE-2026-12245: DoT Crash Loop
Meanwhile, another significant bug affects secure DNS over TLS connections. An attacker simply initiates a TLS connection and closes it prematurely. Then, this action triggers a use-after-free error during standard error logging operations. Consequently, the server process crashes and immediately restarts, creating a permanent denial-of-service loop.
CVE-2026-12246 & CVE-2026-12490
Third, a rogue APL resource record causes a dangerous out-of-bounds write. This specific overwrite occurs when the server actively writes the zone to disk. Finally, secondaries normally require a trusted client certificate for TLS zone transfers. However, attackers can bypass this security check entirely by requesting the transfer over standard TCP.
Exploitation Status
Currently, no public proof-of-concept exists for these newly discovered bugs. Furthermore, active exploitation in the wild remains entirely unconfirmed by cybersecurity researchers.
Affected Versions & Mitigation
These NSD DNS vulnerabilities strictly impact NSD versions 4.13.0 through 4.14.2. Therefore, system administrators should safely upgrade to NSD version 4.14.3 immediately. Alternatively, you can apply the official software patches manually via source code. Lastly, you can review the full release notes for detailed technical changes.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
