NSD 4.14.3 Released, includes fixes for DoS crash loop(www.nlnetlabs.nl)
2 pointsby Bender3 hours ago1 comment
  • Bender2 hours ago
    Fix for CVE-2026-12244: A specially crafted SVCB RR can cause a heap overflow of up to 65509 attacker controlled bytes. Thanks to Qifan Zhang, Palo Alto Networks for the report

    Fix for CVE-2026-12245: If NSD is configured with DNS over TLS, a client that performs a TLS action, closing the connection early, causes a crash and restart of the server process. An attacker can keep all children in a crash-restart loop denying DoT service. Thanks to Qifan Zhang, Palo Alto Networks for the report

    Fix for CVE-2026-12246: The RR type APL rdata address, if too large, causes out of bounds write on the stack, when the zonefile is written out. Thanks to Qifan Zhang from PaloAlto Networks, Haruki Oyama from Waseda University and zhangph for the report

    Fix for CVE-2026-12490: Secondaries authenticated by a client certificate to transfer a zone over TLS, can bypass verification by transferring over TCP. Thanks to Qifan Zhang, Palo Alto Networks for the report.

    Change Log [1]

    [1] - https://github.com/NLnetLabs/nsd/blob/NSD_4_14_3_REL/doc/Cha...