CVE Catalog

CVE-2026-12490

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

A vulnerability in the DNS system allows bypassing client certificate authentication for zone transfers (XFR) when using provide-xfr with tls-auth-name. If the request comes via TLS on the standard TLS port (not the tls-auth port) or via plain TCP on the standard port, the server does not require a client certificate, even if the provide-xfr rule specifies one.

Risk Assessment

An attacker can obtain an unauthorized copy of a DNS zone, leading to leakage of sensitive data (e.g., internal records) and enabling further attacks such as network reconnaissance.

Recommendation

Update the DNS software to a version that fixes the client certificate enforcement logic for provide-xfr rules with tls-auth-name. Until the update, restrict access to TLS and TCP ports to trusted IP addresses only.

Original NVD description (English source)

When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS