CVE-2026-12244
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
A vulnerability in NSD allows an attacker acting as a primary server for a zone to cause a heap overflow by sending an AXFR response containing a specially crafted SVCB record with an rdata size of 65512 bytes. This causes a uint16_t variable used for memory allocation to wrap, leading to a write beyond the allocated buffer.
Risk Assessment
An attacker can remotely execute arbitrary code (RCE) on the NSD server, potentially leading to full system compromise and impacting the confidentiality, integrity, and availability of DNS services.
Recommendation
Update NSD immediately to a version that fixes this vulnerability. Until then, restrict trusted primary servers for zones and implement validation mechanisms for AXFR responses.
Original NVD description (English source)
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes

