FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

NSD -- vulnerabilities

Affected packages
nsd < 4.14.3

Details

VuXML ID bebbc065-73d2-11f1-910d-3c7c3fba4204
Discovery 2026-06-25
Entry 2026-06-29

NLnet Labs reports:

CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes.

If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes

Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, given the potential severity of the attack.

CVE-2026-12245: An attacker can keep all children in a crash-restart loop denying DoT service.

NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.

Any client with access to the DoT port (853) can trigger this. Even though a new server process will be immediately reforked to replace the crashed one, an attacker can keep all children in a crash-restart loop denying DoT service.

CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out.

NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.

Even though the data is from a configured primary inside NSD's trust boundary, we do consider the risk significant enough for multi-tenant secondary DNS deployments, where a primary could introduce the rogue APL with the secondary not noticing or only after the fact.

CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by transferring over TCP.

When a "provide-xfr" is given with a "tls-auth-name", a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular "tls-port" (and not the "tls-auth-port") or over over TCP over the regular port, when the other conditions of the "provide-xfr" rule match.

The transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the "tls-auth-xfr-only" option is not explicitly set to "yes" (which it by default is not)

Thanks to people below for reporting and disclosing these vulnerabilities:

References

CVE Name CVE-2026-12244
CVE Name CVE-2026-12245
CVE Name CVE-2026-12246
CVE Name CVE-2026-12490
URL https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt
URL https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt
URL https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt
URL https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt