Search
Find a vulnerability
Search criteria
10 vulnerabilities found for NSD by NLnet Labs
CVE-2026-12490 (GCVE-0-2026-12490)
Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:41
VLAI
Title
Bypass of client certificate verification with transfer over TLS
Summary
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.10.1 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:40:01.913311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:41:18.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the tls-auth-xfr-only option is not explicitly set to yes (which it by default is not)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:41.814Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-06-16T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-17T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Bypass of client certificate verification with transfer over TLS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12490",
"datePublished": "2026-06-25T05:24:41.814Z",
"dateReserved": "2026-06-17T06:44:23.686Z",
"dateUpdated": "2026-06-25T12:41:18.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12246 (GCVE-0-2026-12246)
Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
VLAI
Title
Out of bounds stack write with crafted APL RR
Summary
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.14.0 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:41:56.092027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:42:05.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
},
{
"lang": "en",
"type": "finder",
"value": "Haruki Oyama from Waseda University"
},
{
"lang": "en",
"type": "finder",
"value": "zhangph"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Processing of a zone containing a crafted APL can crash NSD when writing the zone to disk. These zones can be provided by a trusted primary"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:29.512Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Haruki Oyama"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch with Qifan Zhang and Haruki Oyama"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "Haruki Oyama verifies patch"
},
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-16T00:00:00.000Z",
"value": "Issue reported by zhangph"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch with zhangph"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Out of bounds stack write with crafted APL RR",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12246",
"datePublished": "2026-06-25T05:24:29.512Z",
"dateReserved": "2026-06-15T06:47:44.761Z",
"dateUpdated": "2026-06-25T12:42:05.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12245 (GCVE-0-2026-12245)
Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
VLAI
Title
Denial of DNS over TLS service by any DoT client
Summary
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.13.0 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:42:22.635356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:42:50.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.13.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Any client with access to the DoT port (853) can keep all iserve children in a crash-restart loop denying DoT service"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:18.620Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Denial of DNS over TLS service by any DoT client",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12245",
"datePublished": "2026-06-25T05:24:18.620Z",
"dateReserved": "2026-06-15T06:47:18.496Z",
"dateUpdated": "2026-06-25T12:42:50.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12244 (GCVE-0-2026-12244)
Vulnerability from nvd – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:45
VLAI
Title
Heap overflow and crash with crafted SVCB RR
Summary
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.14.0 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:45:15.927329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:45:34.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let\u0027s an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size \u003e 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes"
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Processing of a zonefile containing a crafted SVCB. These can be provided by a trusted primary"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:08.548Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Heap overflow and crash with crafted SVCB RR",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12244",
"datePublished": "2026-06-25T05:24:08.548Z",
"dateReserved": "2026-06-15T06:46:44.866Z",
"dateUpdated": "2026-06-25T12:45:34.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-28935 (GCVE-0-2020-28935)
Vulnerability from nvd – Published: 2020-12-07 21:46 – Updated: 2024-09-16 23:27
VLAI
Title
Local symlink attack in Unbound and NSD
Summary
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.
Severity
No CVSS data available.
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | Unbound |
Affected:
<= 1.12.0
|
|
| NLnet Labs | NSD |
Affected:
<= 4.3.3
|
Date Public
2020-12-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:00.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
},
{
"name": "GLSA-202101-38",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-38"
},
{
"name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.12.0"
}
]
},
{
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.3.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Mason Loring Bliss for bringing the issue to our attention."
}
],
"datePublic": "2020-12-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-29T00:00:00.000Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
},
{
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
},
{
"name": "GLSA-202101-38",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202101-38"
},
{
"name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
}
],
"title": "Local symlink attack in Unbound and NSD"
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2020-28935",
"datePublished": "2020-12-07T21:46:47.878Z",
"dateReserved": "2020-11-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:27:01.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-12490 (GCVE-0-2026-12490)
Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:41
VLAI
Title
Bypass of client certificate verification with transfer over TLS
Summary
When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.10.1 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:40:01.913311Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:41:18.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.10.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "When a provide-xfr is given with a tls-auth-name, a secondary requesting a transfer should provide a client certificate with that name. However, no client certificate is needed when the request comes in over TLS over the regular tls-port (and not the tls-auth-port) or over over TCP over the regular port, when the other conditions of the provide-xfr rule match."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Transfer security restrictions for client certificates can be bypassed completely if the attacker can match the other access control conditions, and the tls-auth-xfr-only option is not explicitly set to yes (which it by default is not)"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306: Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:41.814Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12490.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-06-16T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-17T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Bypass of client certificate verification with transfer over TLS",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12490",
"datePublished": "2026-06-25T05:24:41.814Z",
"dateReserved": "2026-06-17T06:44:23.686Z",
"dateUpdated": "2026-06-25T12:41:18.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12246 (GCVE-0-2026-12246)
Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
VLAI
Title
Out of bounds stack write with crafted APL RR
Summary
NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.14.0 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:41:56.092027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:42:05.428Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
},
{
"lang": "en",
"type": "finder",
"value": "Haruki Oyama from Waseda University"
},
{
"lang": "en",
"type": "finder",
"value": "zhangph"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NSD version 4.14.0 introduced a bug where a specially crafted APL RR, with an adflength larger than permitted for the address family will overwrite the stack when the zone is written to disk, with a maximum of 111 attacker controlled bytes."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Processing of a zone containing a crafted APL can crash NSD when writing the zone to disk. These zones can be provided by a trusted primary"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120: Buffer Copy without Checking Size of Input",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:29.512Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12246.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Haruki Oyama"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch with Qifan Zhang and Haruki Oyama"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "Haruki Oyama verifies patch"
},
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-16T00:00:00.000Z",
"value": "Issue reported by zhangph"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch with zhangph"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Out of bounds stack write with crafted APL RR",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12246",
"datePublished": "2026-06-25T05:24:29.512Z",
"dateReserved": "2026-06-15T06:47:44.761Z",
"dateUpdated": "2026-06-25T12:42:05.428Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12245 (GCVE-0-2026-12245)
Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:42
VLAI
Title
Denial of DNS over TLS service by any DoT client
Summary
NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-416 - Use After Free
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.13.0 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12245",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:42:22.635356Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:42:50.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.13.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NSD from version 4.13.0 has a heap use-after-free bug in logging errors on TLS connections, causing a crash of the server process, which can be triggered trivially by sending a DNS query over a DoT connection, and closing the connection without reading the response."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Any client with access to the DoT port (853) can keep all iserve children in a crash-restart loop denying DoT service"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-416",
"description": "CWE-416: Use After Free",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:18.620Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12245.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Denial of DNS over TLS service by any DoT client",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12245",
"datePublished": "2026-06-25T05:24:18.620Z",
"dateReserved": "2026-06-15T06:47:18.496Z",
"dateUpdated": "2026-06-25T12:42:50.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12244 (GCVE-0-2026-12244)
Vulnerability from cvelistv5 – Published: 2026-06-25 05:24 – Updated: 2026-06-25 12:45
VLAI
Title
Heap overflow and crash with crafted SVCB RR
Summary
If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let's an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size > 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-1… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | NSD |
Affected:
4.14.0 , < 4.14.3
(semver)
|
Date Public
2026-06-25 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12244",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T12:45:15.927329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T12:45:34.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"lessThan": "4.14.3",
"status": "affected",
"version": "4.14.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qifan Zhang from Palo Alto Networks"
}
],
"datePublic": "2026-06-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "If NSD is configured as secondary for a zone, the primary of that zone can crash NSD with an AXFR containing a DNS message with a special crafted SVCB RR with an rdata size of 65512, that let\u0027s an (uint16_t) variable that is used to allocate space needed for the RR wrap (because total size \u003e 65535), causing a heap overflow. The attacker can perform a controlled (RCE class) head write of up to 65509 bytes"
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "Processing of a zonefile containing a crafted SVCB. These can be provided by a trusted primary"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-122",
"description": "CWE-122: Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T05:24:08.548Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2026-12244.txt"
}
],
"solutions": [
{
"lang": "en",
"value": "This issue is fixed starting with version 4.14.3."
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T00:00:00.000Z",
"value": "Issue reported by Qifan Zhang"
},
{
"lang": "en",
"time": "2026-06-12T00:00:00.000Z",
"value": "NLnet Labs shares patch"
},
{
"lang": "en",
"time": "2026-06-15T00:00:00.000Z",
"value": "Qifan Zhang verifies patch"
},
{
"lang": "en",
"time": "2026-06-25T00:00:00.000Z",
"value": "Fix released with version 4.14.3"
}
],
"title": "Heap overflow and crash with crafted SVCB RR",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2026-12244",
"datePublished": "2026-06-25T05:24:08.548Z",
"dateReserved": "2026-06-15T06:46:44.866Z",
"dateUpdated": "2026-06-25T12:45:34.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2020-28935 (GCVE-0-2020-28935)
Vulnerability from cvelistv5 – Published: 2020-12-07 21:46 – Updated: 2024-09-16 23:27
VLAI
Title
Local symlink attack in Unbound and NSD
Summary
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.
Severity
No CVSS data available.
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
5 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| NLnet Labs | Unbound |
Affected:
<= 1.12.0
|
|
| NLnet Labs | NSD |
Affected:
<= 4.3.3
|
Date Public
2020-12-01 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:00.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
},
{
"name": "GLSA-202101-38",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202101-38"
},
{
"name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Unbound",
"vendor": "NLnet Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.12.0"
}
]
},
{
"product": "NSD",
"vendor": "NLnet Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.3.3"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "We would like to thank Mason Loring Bliss for bringing the issue to our attention."
}
],
"datePublic": "2020-12-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-29T00:00:00.000Z",
"orgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"shortName": "NLnet Labs"
},
"references": [
{
"url": "https://www.nlnetlabs.nl/downloads/unbound/CVE-2020-28935.txt"
},
{
"url": "https://www.nlnetlabs.nl/downloads/nsd/CVE-2020-28935.txt"
},
{
"name": "GLSA-202101-38",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202101-38"
},
{
"name": "[debian-lts-announce] 20210212 [SECURITY] [DLA 2556-1] unbound1.9 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00017.html"
},
{
"name": "[debian-lts-announce] 20230329 [SECURITY] [DLA 3371-1] unbound security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/03/msg00024.html"
}
],
"title": "Local symlink attack in Unbound and NSD"
}
},
"cveMetadata": {
"assignerOrgId": "206fc3a0-e175-490b-9eaa-a5738056c9f6",
"assignerShortName": "NLnet Labs",
"cveId": "CVE-2020-28935",
"datePublished": "2020-12-07T21:46:47.878Z",
"dateReserved": "2020-11-18T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:27:01.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}